3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
Size

326KB
MD5

a59664f37c25edaa69c39a65490ed3a9
SHA1

01bb46541bc678fe9d97cea31cb61f3db861ba68
SHA256

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d
SHA512

76ba5fea9e63bf091ac2f2234447ad48c93b1b21594fd2c737d24073efc2871265c83622364764c886769d579c727784c045d3d4b2fc0a6e778dc30e64f1f393
SSDEEP

6144:Rj8KWXflIwycVYUcBrcisb765kohreOCSYA/U:+Kkfl3x0BrcdEkoWCc

Score

9^/10

discovery exploit upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral2/memory/2840-78-0x0000000140000000-0x000000014011B000-memory.dmp	UPX
behavioral2/memory/2840-77-0x0000000140000000-0x000000014011B000-memory.dmp	UPX
behavioral2/memory/2840-87-0x0000017919390000-0x00000179193AF000-memory.dmp	UPX
behavioral2/memory/2840-81-0x0000000140000000-0x000000014011B000-memory.dmp	UPX
behavioral2/memory/2840-80-0x0000000140000000-0x000000014011B000-memory.dmp	UPX

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
116	icacls.exe
2132	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe

Executes dropped EXE 2 IoCs

pid	Process
4056	wmpnetwk.exe
928	wmixedwk.exe

Loads dropped DLL 2 IoCs

pid	Process
4056	wmpnetwk.exe
928	wmixedwk.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2132	takeown.exe
116	icacls.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2840-78-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/2840-77-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/2840-76-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/2840-86-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral2/memory/2840-85-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral2/memory/2840-82-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral2/memory/2840-81-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/2840-80-0x0000000140000000-0x000000014011B000-memory.dmp	upx

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4312.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\1136.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\1596.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\2840.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4532.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4520.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4392.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\1564.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4876.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4420.hecate	svchost.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 3548	928	wmixedwk.exe	99
PID 3548 set thread context of 2840	3548	svchost.exe	100
PID 3548 set thread context of 2932	3548	svchost.exe	101
PID 3548 set thread context of 4532	3548	svchost.exe	102
PID 3548 set thread context of 4520	3548	svchost.exe	107
PID 3548 set thread context of 4312	3548	svchost.exe	108
PID 3548 set thread context of 1136	3548	svchost.exe	110
PID 3548 set thread context of 4392	3548	svchost.exe	111
PID 3548 set thread context of 1564	3548	svchost.exe	115
PID 3548 set thread context of 4876	3548	svchost.exe	119
PID 3548 set thread context of 4420	3548	svchost.exe	121
PID 3548 set thread context of 1596	3548	svchost.exe	122

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmixedwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpp	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpa	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpp	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpp	svchost.exe
File created	C:\Program Files\Windows Media Player\background.jpg	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpp	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpp	svchost.exe
File created	C:\Program Files\Windows Media Player\mpsvc.dll	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File created	C:\Program Files\Windows Media Player\wmixedwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1adc7d31babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000995fb9d31babda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f35f0d31babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9d20cd41babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a95cf7d31babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091c1bbd31babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbe8e1d31babda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e171ebd31babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a00784d41babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ab975d41babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2132	takeown.exe
Token: 33	552	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4984	2392	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	92
PID 2392 wrote to memory of 4984	2392	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	92
PID 4984 wrote to memory of 2132	4984	cmd.exe	94
PID 4984 wrote to memory of 2132	4984	cmd.exe	94
PID 4984 wrote to memory of 116	4984	cmd.exe	95
PID 4984 wrote to memory of 116	4984	cmd.exe	95
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 928 wrote to memory of 3548	928	wmixedwk.exe	99
PID 3548 wrote to memory of 2840	3548	svchost.exe	100
PID 3548 wrote to memory of 2840	3548	svchost.exe	100
PID 3548 wrote to memory of 2840	3548	svchost.exe	100
PID 3548 wrote to memory of 2840	3548	svchost.exe	100
PID 3548 wrote to memory of 2840	3548	svchost.exe	100
PID 3548 wrote to memory of 2840	3548	svchost.exe	100
PID 3548 wrote to memory of 2840	3548	svchost.exe	100
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 2932	3548	svchost.exe	101
PID 3548 wrote to memory of 4532	3548	svchost.exe	102
PID 3548 wrote to memory of 4532	3548	svchost.exe	102
PID 3548 wrote to memory of 4532	3548	svchost.exe	102
PID 3548 wrote to memory of 4532	3548	svchost.exe	102
PID 3548 wrote to memory of 4532	3548	svchost.exe	102
PID 3548 wrote to memory of 4532	3548	svchost.exe	102
PID 3548 wrote to memory of 4532	3548	svchost.exe	102
PID 552 wrote to memory of 2064	552	SearchIndexer.exe	103
PID 552 wrote to memory of 2064	552	SearchIndexer.exe	103
PID 552 wrote to memory of 2228	552	SearchIndexer.exe	104
PID 552 wrote to memory of 2228	552	SearchIndexer.exe	104
PID 3548 wrote to memory of 4520	3548	svchost.exe	107
PID 3548 wrote to memory of 4520	3548	svchost.exe	107
PID 3548 wrote to memory of 4520	3548	svchost.exe	107
PID 3548 wrote to memory of 4520	3548	svchost.exe	107
PID 3548 wrote to memory of 4520	3548	svchost.exe	107
PID 3548 wrote to memory of 4520	3548	svchost.exe	107
PID 3548 wrote to memory of 4520	3548	svchost.exe	107
PID 3548 wrote to memory of 4312	3548	svchost.exe	108
PID 3548 wrote to memory of 4312	3548	svchost.exe	108
PID 3548 wrote to memory of 4312	3548	svchost.exe	108
PID 3548 wrote to memory of 4312	3548	svchost.exe	108
PID 3548 wrote to memory of 4312	3548	svchost.exe	108
PID 3548 wrote to memory of 4312	3548	svchost.exe	108
PID 3548 wrote to memory of 4312	3548	svchost.exe	108
PID 3548 wrote to memory of 1136	3548	svchost.exe	110
PID 3548 wrote to memory of 1136	3548	svchost.exe	110
PID 3548 wrote to memory of 1136	3548	svchost.exe	110
PID 3548 wrote to memory of 1136	3548	svchost.exe	110

C:\Users\Admin\AppData\Local\Temp\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
"C:\Users\Admin\AppData\Local\Temp\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\system32\icacls.exe
    icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2064
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2228

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4056

C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:2840
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    PID:2932
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4532
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:4520
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4312
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1136
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4392
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1564
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4876
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:4420
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\background.jpg

Filesize
1.9MB

MD5
2ae78a18e71d4696964e021f3241287a

SHA1
562ac6a611ef5b44abd61db261a11289950f7efb

SHA256
ac4c16749c6d77dd153327c18c4bf6d48c8268efcbbb9d0515ea582e0fed19d2

SHA512
a7d1bcee4296fa1569d401b1886022da2384a33080baa1ab82cf86ff708351fe3784297d9e104927b7f581ad351bc7c900db5953e22dbd262ce76b9ee62c11ca

Download Submit
C:\Program Files\Windows Media Player\mpsvc.dll

Filesize
126KB

MD5
51835bc0013021fac02572d2a4f371c3

SHA1
1c5dc6300992e0410a469280c7384d2dee1033f0

SHA256
1ec23649104d52fe4bd81868896ace1860c2b579c07b1ff3ae8bf9b544cf093d

SHA512
beb67411146a72c610a298547e86934ef48258d9caaa0f7c024a9914d0e010dde5ddd9699e25baddbbe0c6b9cb3d43124de3673c4bae4fe45f61d7d7f0f99f68

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
23KB

MD5
90b85ffbdeead1be861d59134ea985b0

SHA1
55e9859aa7dba87678e7c529b571fdf6b7181339

SHA256
ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

SHA512
8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

Download Submit
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2

Filesize
30KB

MD5
c81be5e09b787373d16ab3771fe8e29d

SHA1
4edb8e4ac1f4adc7cfa6db1040bd7caeaa0d08eb

SHA256
3371174d1828448fb83db954f9440e7b8bd7d6252c411fea60cb69b9e1000a4a

SHA512
40e8eaf3508a518cbda9bc45a94007450af1556cebb8f53aa10469cbec8bdee029c8db4ad1f07a74c8809f0a102f3a8bbf4b271090e4e8b9d2399bd89ebc05dc

Download Submit
memory/552-19-0x0000022AEA9C0000-0x0000022AEA9D0000-memory.dmp

Filesize
64KB

Download
memory/552-35-0x0000022AEAAC0000-0x0000022AEAAD0000-memory.dmp

Filesize
64KB

Download
memory/552-51-0x0000022AEEFB0000-0x0000022AEEFB8000-memory.dmp

Filesize
32KB

Download
memory/2392-74-0x0000022631370000-0x0000022631399000-memory.dmp

Filesize
164KB

Download
memory/2392-0-0x00007FF77F77A000-0x00007FF77F77B000-memory.dmp

Filesize
4KB

Download
memory/2392-3-0x0000022631370000-0x0000022631399000-memory.dmp

Filesize
164KB

Download
memory/2392-5-0x00007FF77F760000-0x00007FF77F7B6000-memory.dmp

Filesize
344KB

Download
memory/2840-87-0x0000017919390000-0x00000179193AF000-memory.dmp

Filesize
124KB

Download
memory/2840-86-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2840-77-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2840-80-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2840-81-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2840-76-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2840-82-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2840-85-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2840-78-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3548-65-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/3548-63-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/3548-64-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/3548-68-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/3548-66-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/3548-71-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/3548-72-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/3548-67-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/3548-69-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4056-73-0x00007FFEFBAB0000-0x00007FFEFBAD6000-memory.dmp

Filesize
152KB

Download