3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d

General

Target

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
Size

326KB
MD5

a59664f37c25edaa69c39a65490ed3a9
SHA1

01bb46541bc678fe9d97cea31cb61f3db861ba68
SHA256

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d
SHA512

76ba5fea9e63bf091ac2f2234447ad48c93b1b21594fd2c737d24073efc2871265c83622364764c886769d579c727784c045d3d4b2fc0a6e778dc30e64f1f393
SSDEEP

6144:Rj8KWXflIwycVYUcBrcisb765kohreOCSYA/U:+Kkfl3x0BrcdEkoWCc

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2112 takeown.exe
1640 icacls.exe

pid	process
2112	takeown.exe
1640	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe

Executes dropped EXE 2 IoCs

Processes:

wmpnetwk.exewmixedwk.exe

pid process

3152 wmpnetwk.exe
1336 wmixedwk.exe
Loads dropped DLL 2 IoCs

Processes:

wmpnetwk.exewmixedwk.exe

pid process

3152 wmpnetwk.exe
1336 wmixedwk.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2112 takeown.exe
1640 icacls.exe

pid	process
3152	wmpnetwk.exe
1336	wmixedwk.exe

pid	process
3152	wmpnetwk.exe
1336	wmixedwk.exe

pid	process
2112	takeown.exe
1640	icacls.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2804-79-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/2804-78-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/2804-76-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/2804-75-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/2804-74-0x0000000140000000-0x000000014011B000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\2804.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\696.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\info	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\3652.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\3348.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4168.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4600.hecate	svchost.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

wmixedwk.exesvchost.exe

description	pid	process	target process
PID 1336 set thread context of 676	1336	wmixedwk.exe	svchost.exe
PID 676 set thread context of 2804	676	svchost.exe	svchost.exe
PID 676 set thread context of 2436	676	svchost.exe	svchost.exe
PID 676 set thread context of 696	676	svchost.exe	svchost.exe
PID 676 set thread context of 3652	676	svchost.exe	svchost.exe
PID 676 set thread context of 3348	676	svchost.exe	svchost.exe
PID 676 set thread context of 4168	676	svchost.exe	svchost.exe
PID 676 set thread context of 4600	676	svchost.exe	svchost.exe

Drops file in Program Files directory 7 IoCs

Processes:

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\background.jpg	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File created	C:\Program Files\Windows Media Player\mpsvc.dll	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File created	C:\Program Files\Windows Media Player\wmixedwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File opened for modification	C:\Program Files\Windows Media Player\wmixedwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpp	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpa	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe
File opened for modification	\??\c:\windows\ppqqxpb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ed814a88babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000885dca68babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000553a90a68babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000809e19a88babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009935eda68babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059d5aca68babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\yzzg	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007483fba68babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000304f65a68babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\yzzg\c = "ㄱ㜱"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5116 PING.EXE

pid	process
5116	PING.EXE

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

takeown.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2112	takeown.exe
Token: 33	2820	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2820	SearchIndexer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.execmd.exewmixedwk.exesvchost.execmd.exeSearchIndexer.exe

description	pid	process	target process
PID 4992 wrote to memory of 4016	4992	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 4992 wrote to memory of 4016	4992	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 4016 wrote to memory of 2112	4016	cmd.exe	takeown.exe
PID 4016 wrote to memory of 2112	4016	cmd.exe	takeown.exe
PID 4016 wrote to memory of 1640	4016	cmd.exe	icacls.exe
PID 4016 wrote to memory of 1640	4016	cmd.exe	icacls.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 1336 wrote to memory of 676	1336	wmixedwk.exe	svchost.exe
PID 676 wrote to memory of 2804	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2804	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2804	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2804	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2804	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2804	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2804	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 2436	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 696	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 696	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 696	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 696	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 696	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 696	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 696	676	svchost.exe	svchost.exe
PID 4992 wrote to memory of 2084	4992	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 4992 wrote to memory of 2084	4992	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 2084 wrote to memory of 5116	2084	cmd.exe	PING.EXE
PID 2084 wrote to memory of 5116	2084	cmd.exe	PING.EXE
PID 2820 wrote to memory of 832	2820	SearchIndexer.exe	SearchProtocolHost.exe
PID 2820 wrote to memory of 832	2820	SearchIndexer.exe	SearchProtocolHost.exe
PID 2820 wrote to memory of 4488	2820	SearchIndexer.exe	SearchFilterHost.exe
PID 2820 wrote to memory of 4488	2820	SearchIndexer.exe	SearchFilterHost.exe
PID 676 wrote to memory of 3652	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3652	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3652	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3652	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3652	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3652	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3652	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3348	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3348	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3348	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3348	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3348	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3348	676	svchost.exe	svchost.exe
PID 676 wrote to memory of 3348	676	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
"C:\Users\Admin\AppData\Local\Temp\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:5116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:832

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4488

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3152

C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2804

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2436

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:696

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3652

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3348

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4168

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\background.jpg
Filesize
1.9MB

MD5
2ae78a18e71d4696964e021f3241287a

SHA1
562ac6a611ef5b44abd61db261a11289950f7efb

SHA256
ac4c16749c6d77dd153327c18c4bf6d48c8268efcbbb9d0515ea582e0fed19d2

SHA512
a7d1bcee4296fa1569d401b1886022da2384a33080baa1ab82cf86ff708351fe3784297d9e104927b7f581ad351bc7c900db5953e22dbd262ce76b9ee62c11ca

Download Submit
C:\Program Files\Windows Media Player\mpsvc.dll
Filesize
126KB

MD5
51835bc0013021fac02572d2a4f371c3

SHA1
1c5dc6300992e0410a469280c7384d2dee1033f0

SHA256
1ec23649104d52fe4bd81868896ace1860c2b579c07b1ff3ae8bf9b544cf093d

SHA512
beb67411146a72c610a298547e86934ef48258d9caaa0f7c024a9914d0e010dde5ddd9699e25baddbbe0c6b9cb3d43124de3673c4bae4fe45f61d7d7f0f99f68

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
23KB

MD5
90b85ffbdeead1be861d59134ea985b0

SHA1
55e9859aa7dba87678e7c529b571fdf6b7181339

SHA256
ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

SHA512
8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

Download Submit
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
Filesize
28KB

MD5
98ddf99d62e398f7f9958cb8c3bb655b

SHA1
1edf9932c9e048e2de35d595a7283d8e1d1b48aa

SHA256
ce62abda7d9d2917d7d765000d93bf9f551c6a2ce8082e89cf589af3c97410ee

SHA512
9770c5548beda6a31b8b1a061071fe04879e0c2f75aad2d1ff6a0cf94fa5fe1d8124ae78245403111216ceb094c17282d35a3b48994d3beecee298cf242022b2

Download Submit
C:\kkxqbh.bat
Filesize
135B

MD5
213c3f1aa1f2ee05f1c6618d192fffc5

SHA1
a517128a03b995935ff9cce15916ba84250f28b0

SHA256
8d68538bab28f4e7bd4af85a501e13fb228aae17ab8d5c17abceefa94948b607

SHA512
efabf818a1a1efdf4c448dd8fc98f2956866d80d5cc3b05e00561a767628d3cf3d7912782218acc234ec1e752dc3be0150ba87f00039fdd9f4eaa7922ddd01fe

Download Submit
memory/676-70-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/676-72-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/676-71-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/676-63-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/676-68-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/676-67-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/676-66-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/676-65-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/676-64-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/1336-73-0x00007FFC22510000-0x00007FFC22536000-memory.dmp

Filesize
152KB

Download
memory/2436-81-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2436-85-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2436-84-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2436-82-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2436-90-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2436-89-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2436-83-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2436-87-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2436-86-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/2804-75-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2804-79-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2804-78-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2804-76-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2804-74-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2820-35-0x0000024E1B390000-0x0000024E1B3A0000-memory.dmp

Filesize
64KB

Download
memory/2820-51-0x0000024E1F880000-0x0000024E1F888000-memory.dmp

Filesize
32KB

Download
memory/2820-19-0x0000024E1B290000-0x0000024E1B2A0000-memory.dmp

Filesize
64KB

Download
memory/3152-80-0x00007FFC22510000-0x00007FFC22536000-memory.dmp

Filesize
152KB

Download
memory/4992-0-0x00007FF78776A000-0x00007FF78776B000-memory.dmp

Filesize
4KB

Download
memory/4992-5-0x00007FF787750000-0x00007FF7877A6000-memory.dmp

Filesize
344KB

Download
memory/4992-3-0x0000029557BE0000-0x0000029557C0C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads