Analysis Overview
SHA256
0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c
Threat Level: Likely malicious
The file 0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-21 08:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 08:45
Reported
2024-05-21 08:48
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4504.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\info | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\3360.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2984.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4348.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4508.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\1212.hecate | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4144 set thread context of 2412 | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Windows\system32\svchost.exe |
| PID 2412 set thread context of 1212 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 2412 set thread context of 4572 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 2412 set thread context of 4504 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 2412 set thread context of 3360 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 2412 set thread context of 2984 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 2412 set thread context of 4348 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 2412 set thread context of 4508 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da60e9775babda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002ed877c5babda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\yzzg\c = "〱㌲" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86} | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B} | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bda2e17d5babda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eed30885babda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c.exe
"C:\Users\Admin\AppData\Local\Temp\0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sta.alie3ksgee.com | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.158.146.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cl.alie3ksgff.com | udp |
| US | 8.8.8.8:53 | myxqbh.top | udp |
| US | 149.28.212.217:6666 | cl.alie3ksgff.com | udp |
| US | 8.8.8.8:53 | 217.212.28.149.in-addr.arpa | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 161.14.108.182.in-addr.arpa | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
Files
memory/228-0-0x00007FFA07800000-0x00007FFA07AC9000-memory.dmp
memory/228-3-0x0000027BA8D30000-0x0000027BA8D5C000-memory.dmp
memory/228-5-0x00007FFA07800000-0x00007FFA07AC9000-memory.dmp
memory/228-6-0x00007FFA07800000-0x00007FFA07AC9000-memory.dmp
memory/228-15-0x00007FFA07800000-0x00007FFA07AC9000-memory.dmp
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 90b85ffbdeead1be861d59134ea985b0 |
| SHA1 | 55e9859aa7dba87678e7c529b571fdf6b7181339 |
| SHA256 | ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2 |
| SHA512 | 8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce |
memory/2044-21-0x000001D470660000-0x000001D470670000-memory.dmp
memory/2044-37-0x000001D470760000-0x000001D470770000-memory.dmp
memory/2044-53-0x000001D474C50000-0x000001D474C58000-memory.dmp
memory/228-55-0x00007FFA07800000-0x00007FFA07AC9000-memory.dmp
C:\Program Files\Windows Media Player\mpsvc.dll
| MD5 | 51835bc0013021fac02572d2a4f371c3 |
| SHA1 | 1c5dc6300992e0410a469280c7384d2dee1033f0 |
| SHA256 | 1ec23649104d52fe4bd81868896ace1860c2b579c07b1ff3ae8bf9b544cf093d |
| SHA512 | beb67411146a72c610a298547e86934ef48258d9caaa0f7c024a9914d0e010dde5ddd9699e25baddbbe0c6b9cb3d43124de3673c4bae4fe45f61d7d7f0f99f68 |
memory/2412-70-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2412-74-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2412-72-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2412-76-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2412-71-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2412-69-0x0000000140000000-0x0000000140026000-memory.dmp
memory/228-79-0x0000027BA8D30000-0x0000027BA8D5C000-memory.dmp
memory/1212-86-0x0000000140000000-0x000000014011B000-memory.dmp
memory/1212-81-0x0000000140000000-0x000000014011B000-memory.dmp
memory/4572-94-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4572-92-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4572-97-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4572-96-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4572-93-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4572-91-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4572-90-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4572-88-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4572-89-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/228-87-0x00007FFA07800000-0x00007FFA07AC9000-memory.dmp
memory/1212-80-0x0000000140000000-0x000000014011B000-memory.dmp
memory/1212-84-0x0000000140000000-0x000000014011B000-memory.dmp
memory/1212-82-0x0000000140000000-0x000000014011B000-memory.dmp
memory/2412-68-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2412-66-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2412-67-0x0000000140000000-0x0000000140026000-memory.dmp
C:\Program Files\Windows Media Player\background.jpg
| MD5 | 2ae78a18e71d4696964e021f3241287a |
| SHA1 | 562ac6a611ef5b44abd61db261a11289950f7efb |
| SHA256 | ac4c16749c6d77dd153327c18c4bf6d48c8268efcbbb9d0515ea582e0fed19d2 |
| SHA512 | a7d1bcee4296fa1569d401b1886022da2384a33080baa1ab82cf86ff708351fe3784297d9e104927b7f581ad351bc7c900db5953e22dbd262ce76b9ee62c11ca |
C:\kkxqbh.bat
| MD5 | 8b14465df37b0fe459227fd5bbdbd7bc |
| SHA1 | 318f23974ef653eaa902691142db3ba90d7212d7 |
| SHA256 | 6e1b21cd5431bd7833ef765e0768edd8b4175cd8d376c54a5b3d89be7d466217 |
| SHA512 | 36fee4ae07a87a897f2daf30f3c859b73ea97f4fbde3c6f95e9c5dafab1cb8a842edad24caa3467b6ce49049fb26411ba10599af473ced7f94c6b56644ed032a |
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
| MD5 | 6c80729534bb65cf635870e40082df3c |
| SHA1 | d87d013bf691f770fb62fbafd781e23bd268f0ee |
| SHA256 | cf05ae1d1aaffc4237510fe0f0112f33f43ac97f955f258caa6685b356c880bf |
| SHA512 | a46466df8946e95d0d83ff35d5364f79a763cd67fccdb8d84f24f24a21677898cd3c991e27a7f501be6ecbcb3a30933c5e224886ad3a28d78bcc65d368f6ccda |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 08:45
Reported
2024-05-21 08:48
Platform
win11-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2832.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2284.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\info | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\1016.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\3756.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\1580.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\3656.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4556.hecate | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2484 set thread context of 3580 | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Windows\system32\svchost.exe |
| PID 3580 set thread context of 2832 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3580 set thread context of 4956 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3580 set thread context of 2284 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3580 set thread context of 1016 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3580 set thread context of 3756 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3580 set thread context of 1580 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3580 set thread context of 3656 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3580 set thread context of 4556 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000334a3e795babda01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a97dd4795babda01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e52f5b765babda01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\yzzg\c = "〱ㄲ" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fab40795babda01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000922de5795babda01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\yzzg | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c.exe
"C:\Users\Admin\AppData\Local\Temp\0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 828 2648 2636 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 828 2644 2640 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sta.alie3ksgee.com | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| US | 8.8.8.8:53 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| US | 149.28.212.217:6666 | cl.alie3ksgff.com | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
Files
memory/4356-0-0x00007FF6B505D000-0x00007FF6B505F000-memory.dmp
memory/4356-3-0x0000027479430000-0x000002747945C000-memory.dmp
memory/4356-5-0x00007FF6B5050000-0x00007FF6B509D000-memory.dmp
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 90b85ffbdeead1be861d59134ea985b0 |
| SHA1 | 55e9859aa7dba87678e7c529b571fdf6b7181339 |
| SHA256 | ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2 |
| SHA512 | 8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce |
memory/4648-35-0x000001E6B4AA0000-0x000001E6B4AB0000-memory.dmp
memory/4648-19-0x000001E6B49A0000-0x000001E6B49B0000-memory.dmp
memory/4648-51-0x000001E6B9190000-0x000001E6B9198000-memory.dmp
C:\Program Files\Windows Media Player\mpsvc.dll
| MD5 | 51835bc0013021fac02572d2a4f371c3 |
| SHA1 | 1c5dc6300992e0410a469280c7384d2dee1033f0 |
| SHA256 | 1ec23649104d52fe4bd81868896ace1860c2b579c07b1ff3ae8bf9b544cf093d |
| SHA512 | beb67411146a72c610a298547e86934ef48258d9caaa0f7c024a9914d0e010dde5ddd9699e25baddbbe0c6b9cb3d43124de3673c4bae4fe45f61d7d7f0f99f68 |
C:\Program Files\Windows Media Player\background.jpg
| MD5 | 2ae78a18e71d4696964e021f3241287a |
| SHA1 | 562ac6a611ef5b44abd61db261a11289950f7efb |
| SHA256 | ac4c16749c6d77dd153327c18c4bf6d48c8268efcbbb9d0515ea582e0fed19d2 |
| SHA512 | a7d1bcee4296fa1569d401b1886022da2384a33080baa1ab82cf86ff708351fe3784297d9e104927b7f581ad351bc7c900db5953e22dbd262ce76b9ee62c11ca |
memory/2484-73-0x00007FFB96C00000-0x00007FFB96C26000-memory.dmp
memory/2832-79-0x0000000140000000-0x000000014011B000-memory.dmp
memory/2832-78-0x0000000140000000-0x000000014011B000-memory.dmp
memory/4956-91-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/4956-88-0x0000000140000000-0x00000001400D1000-memory.dmp
memory/2832-85-0x00000184D4FB0000-0x00000184D4FCF000-memory.dmp
memory/2832-84-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2832-83-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2832-80-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2832-76-0x0000000140000000-0x000000014011B000-memory.dmp
memory/2832-75-0x0000000140000000-0x000000014011B000-memory.dmp
memory/2832-74-0x0000000140000000-0x000000014011B000-memory.dmp
memory/3580-72-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3580-71-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3580-69-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3580-68-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3580-67-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3580-66-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3580-65-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3580-64-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3580-63-0x0000000140000000-0x0000000140026000-memory.dmp
C:\kkxqbh.bat
| MD5 | 8b14465df37b0fe459227fd5bbdbd7bc |
| SHA1 | 318f23974ef653eaa902691142db3ba90d7212d7 |
| SHA256 | 6e1b21cd5431bd7833ef765e0768edd8b4175cd8d376c54a5b3d89be7d466217 |
| SHA512 | 36fee4ae07a87a897f2daf30f3c859b73ea97f4fbde3c6f95e9c5dafab1cb8a842edad24caa3467b6ce49049fb26411ba10599af473ced7f94c6b56644ed032a |
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
| MD5 | d28e1cfc2473c43764c6519f8dbc5077 |
| SHA1 | 41cebc5a642ed9ef83c5787b89d8e7a4b48cf317 |
| SHA256 | c07aeadb9066c5e3b291a1b305d3c3c04afbbbc90928a67b0045a78d89d5a62f |
| SHA512 | d38089adc70d5888927bd6267d709d7e0440a87f60290aeb5344ddd86c85a3a1f3b04335035a13089b18745263c094dc006b2e41c5b3203fe02f95307597ddf4 |