Resubmissions
18-05-2024 01:48
240518-b8ehbsee95 1018-05-2024 01:47
240518-b7snkaee49 1018-05-2024 01:40
240518-b3mlraec26 10Analysis
-
max time kernel
260s -
max time network
262s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
18-05-2024 01:48
Behavioral task
behavioral1
Sample
XcHvYYrNa.exe
Resource
win10-20240404-en
windows10-1703-x64
22 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
XcHvYYrNa.exe
-
Size
111KB
-
MD5
98e558eaea97f0b282b42fa6d49070b6
-
SHA1
2e48bb1b50177fe17392ac9407ba9f7e45685a3a
-
SHA256
d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1
-
SHA512
01dcd7a191ef331fe7626f760064e4368cd06c7a30374b74074d6dddf35683b443fb8c0677d1a7bfa88eac81f482dadf6788f343d9958fc9818be749ac7e9882
-
SSDEEP
1536:v+bDH/4gqLM91qQIwBI5xxxxdyyKDWfebhDqI68QWfzCrAZuYPwDr:Wb7/4jLSIFxxj8bxqH8QWfzCrAZuYUr
Malware Config
Extracted
Family
toxiceye
C2
https://api.telegram.org/bot6444357834:AAGtL3te5_xl4dvacn8BJElHrky5SlLcE_4/sendMessage?chat_id=5563559839
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3928 IShadowRTX.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\421858948\2704036608.pri LogonUI.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\e0b1d268-f9c2-48f5-874b-80a302f4addb_3.jpg dashost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\e0b1d268-f9c2-48f5-874b-80a302f4addb_0.png dashost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\e0b1d268-f9c2-48f5-874b-80a302f4addb_1.png dashost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\e0b1d268-f9c2-48f5-874b-80a302f4addb_2.jpg dashost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 644 schtasks.exe 2292 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1820 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2212 tasklist.exe -
Modifies data under HKEY_USERS 16 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache dashost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer wmplayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" wmplayer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3928 IShadowRTX.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe 3928 IShadowRTX.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1452 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 4024 XcHvYYrNa.exe Token: SeDebugPrivilege 2212 tasklist.exe Token: SeDebugPrivilege 3928 IShadowRTX.exe Token: SeDebugPrivilege 3928 IShadowRTX.exe Token: SeTcbPrivilege 4496 svchost.exe Token: SeRestorePrivilege 4496 svchost.exe Token: SeShutdownPrivilege 2860 unregmp2.exe Token: SeCreatePagefilePrivilege 2860 unregmp2.exe Token: SeShutdownPrivilege 2608 wmplayer.exe Token: SeCreatePagefilePrivilege 2608 wmplayer.exe Token: SeDebugPrivilege 1452 taskmgr.exe Token: SeSystemProfilePrivilege 1452 taskmgr.exe Token: SeCreateGlobalPrivilege 1452 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2608 wmplayer.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3928 IShadowRTX.exe 784 OpenWith.exe 784 OpenWith.exe 784 OpenWith.exe 784 OpenWith.exe 784 OpenWith.exe 784 OpenWith.exe 784 OpenWith.exe 784 OpenWith.exe 784 OpenWith.exe 4092 LogonUI.exe 4092 LogonUI.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4024 wrote to memory of 644 4024 XcHvYYrNa.exe 75 PID 4024 wrote to memory of 644 4024 XcHvYYrNa.exe 75 PID 4024 wrote to memory of 2608 4024 XcHvYYrNa.exe 77 PID 4024 wrote to memory of 2608 4024 XcHvYYrNa.exe 77 PID 2608 wrote to memory of 2212 2608 cmd.exe 79 PID 2608 wrote to memory of 2212 2608 cmd.exe 79 PID 2608 wrote to memory of 2364 2608 cmd.exe 80 PID 2608 wrote to memory of 2364 2608 cmd.exe 80 PID 2608 wrote to memory of 1820 2608 cmd.exe 81 PID 2608 wrote to memory of 1820 2608 cmd.exe 81 PID 2608 wrote to memory of 3928 2608 cmd.exe 82 PID 2608 wrote to memory of 3928 2608 cmd.exe 82 PID 3928 wrote to memory of 2292 3928 IShadowRTX.exe 84 PID 3928 wrote to memory of 2292 3928 IShadowRTX.exe 84 PID 4496 wrote to memory of 3076 4496 svchost.exe 90 PID 4496 wrote to memory of 3076 4496 svchost.exe 90 PID 4236 wrote to memory of 3852 4236 wmplayer.exe 95 PID 4236 wrote to memory of 3852 4236 wmplayer.exe 95 PID 4236 wrote to memory of 3852 4236 wmplayer.exe 95 PID 4236 wrote to memory of 4260 4236 wmplayer.exe 96 PID 4236 wrote to memory of 4260 4236 wmplayer.exe 96 PID 4236 wrote to memory of 4260 4236 wmplayer.exe 96 PID 4260 wrote to memory of 2860 4260 unregmp2.exe 97 PID 4260 wrote to memory of 2860 4260 unregmp2.exe 97 PID 3852 wrote to memory of 2608 3852 setup_wm.exe 98 PID 3852 wrote to memory of 2608 3852 setup_wm.exe 98 PID 3852 wrote to memory of 2608 3852 setup_wm.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XcHvYYrNa.exe"C:\Users\Admin\AppData\Local\Temp\XcHvYYrNa.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\NVIDIA\IShadowRTX.exe"2⤵
- Creates scheduled task(s)
PID:644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6254.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6254.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4024"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2364
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1820
-
-
C:\Users\NVIDIA\IShadowRTX.exe"IShadowRTX.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\NVIDIA\IShadowRTX.exe"4⤵
- Creates scheduled task(s)
PID:2292
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\dashost.exedashost.exe {e175af6c-4c69-40b6-b0eeeece545f5e99}2⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3076
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:784
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\ResizeUnpublish.mp23⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2608
-
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost1⤵
- Drops file in Windows directory
PID:3160
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aab055 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5b6ca6fbfb6f977eacea2a7b19bd07cbe
SHA164673eaf103718702738abdcb1256abcaecbfc6e
SHA2564879234fb1158667581c6b2784a400de88806fe2a1f881b4f281fd3cfa812082
SHA512313599084e49c86eee634ad6426750778535a6f16666563d7ad3380564b4dbd36e987358870e98e8c07a12bcef887f8b060a89ff68a007534aefe52c7cd77eff
-
Filesize
1024KB
MD58f5281b9a3eb67be34214c763db5af9c
SHA121db98143396259fca0eab4185e124599f5754bc
SHA256fe214dc76b79583957e1ee6507599f9728dfeca420414f99f770553ac1cd5d30
SHA51237b8422f7cf1f1008a13483eb1912ec8a2e7d13991ee7754b28d46b8f04e484f17144629feb749fb7a464d4ca7b386efb9f58933045f51722a023ff3889c88df
-
Filesize
68KB
MD5abeb547860d971f926b8dffc8c15023f
SHA13ff3b775e26eae6cedf81283319788ed1f9df09c
SHA256fab4826462e573f671e39210de722e8b888660071b671793a95b86995e9cbc25
SHA512be53396f488647f8ce51a540ab249eb03fafa419b60fc288a5d45775e81cdd5863480b2641e82bf7eed4359234e67e6bddec0dca3b08096ebdfdf42e84896675
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
Filesize
523B
MD5d58da90d6dc51f97cb84dfbffe2b2300
SHA15f86b06b992a3146cb698a99932ead57a5ec4666
SHA25693acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA5127f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636
-
Filesize
191B
MD5e03b161ba5ff7673948b54c053ac4078
SHA18d5cbedaba6df49140b387fc620eb2ee735fc301
SHA256eeb1d72eb594e860530bf29ee78358c4b1e02f697f8d019d089a34590a16e5e4
SHA512ce76c74c3fd6a167288d3d3ca45ec5b4d1ee8294adf3a54a791c2a7f223302653183b52bdf0820bee9e680ddfbe73ec6db954daff172138325fd78112321635b
-
Filesize
1KB
MD575d133872031097bbe7fc711672f722b
SHA16013eec818a6f41547ecbfbeabdc3ae4afeffce0
SHA2568a32a4ad7effd7ef27ec8b68c6b03a1a3e7689ca032f7d72dffe27f6b725aa6c
SHA512ab427f2070ab6304d323cd62c48d18e650fd840cd15312be5f8d95ee63e589414d951c0748db8e0dbd4b934aa046a1fca25e76514cf98aee7e4d3d22b00e6972
-
Filesize
111KB
MD598e558eaea97f0b282b42fa6d49070b6
SHA12e48bb1b50177fe17392ac9407ba9f7e45685a3a
SHA256d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1
SHA51201dcd7a191ef331fe7626f760064e4368cd06c7a30374b74074d6dddf35683b443fb8c0677d1a7bfa88eac81f482dadf6788f343d9958fc9818be749ac7e9882