6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Size

126KB
MD5

20a354f57449946583a4e43f92aa1114
SHA1

a00a5ef977a06243a54cc437fe3c831eda4e7ff1
SHA256

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362
SHA512

954eb745f50525b1e50f0dc32106867a0c4af4bffcaf341e1eabdae294a7471ea26b0a87848b0c68cb2aad0aa90d976d15cfb3db7cfeecf4e322acbe9782dab9
SSDEEP

3072:1EboFVlGAvwsgbpvYfMTc72L10fPsout6S:qBzsgbpvnTcyOPsoS6S

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 40 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1132-13-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-11-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-9-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-5-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-3-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-2-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-7-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-15-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-29-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-27-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-25-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-23-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-21-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-19-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-17-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-33-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-32-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/1132-31-0x0000000000220000-0x0000000000275000-memory.dmp	UPX
behavioral1/memory/2468-71-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2468-74-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2468-75-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2468-77-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2468-88-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-89-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-101-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-99-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-97-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-95-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-93-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-91-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-85-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-83-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-81-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-79-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
behavioral1/memory/2468-78-0x0000000000130000-0x0000000000185000-memory.dmp	UPX
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	UPX
C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	UPX
behavioral1/memory/1616-173-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2468-219-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1616-220-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2468 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

KVEIF.jpg

pid process

2416 KVEIF.jpg
Loads dropped DLL 4 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exesvchost.exeKVEIF.jpgwininit.exe

pid process

1132 6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
2468 svchost.exe
2416 KVEIF.jpg
1616 wininit.exe

pid	process
2468	svchost.exe

pid	process
2416	KVEIF.jpg

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1132-13-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-11-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-9-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-5-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-3-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-2-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-7-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-15-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-29-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-27-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-25-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-23-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-21-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-19-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-17-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-33-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-32-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/1132-31-0x0000000000220000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/2468-88-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-89-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-101-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-99-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-97-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-95-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-93-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-91-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-85-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-83-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-81-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-79-0x0000000000130000-0x0000000000185000-memory.dmp	upx
behavioral1/memory/2468-78-0x0000000000130000-0x0000000000185000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

description	ioc	process
File created	C:\Windows\SysWOW64\kernel64.dll	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exeKVEIF.jpg

description	pid	process	target process
PID 1132 set thread context of 2468	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 2416 set thread context of 1616	2416	KVEIF.jpg	wininit.exe

Drops file in Program Files directory 23 IoCs

Processes:

svchost.exe6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exeKVEIF.jpgwininit.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\$$.tmp	svchost.exe
File created	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFmain.ini	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	wininit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFmain.ini	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs1.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	wininit.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	wininit.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	wininit.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\ok.txt	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFss1.ini	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

Drops file in Windows directory 2 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

description	ioc	process
File created	C:\Windows\web\606C646364636479.tmp	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

KVEIF.jpg

pid process

2416 KVEIF.jpg

pid	process
2416	KVEIF.jpg

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exesvchost.exeKVEIF.jpgwininit.exe

pid	process
1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2416	KVEIF.jpg
2416	KVEIF.jpg
2416	KVEIF.jpg
1616	wininit.exe
1616	wininit.exe
1616	wininit.exe
1616	wininit.exe
1616	wininit.exe
1616	wininit.exe
1616	wininit.exe
2468	svchost.exe
1616	wininit.exe
2468	svchost.exe
1616	wininit.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
1616	wininit.exe
1616	wininit.exe
1616	wininit.exe
2468	svchost.exe
1616	wininit.exe
2468	svchost.exe
1616	wininit.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
1616	wininit.exe
1616	wininit.exe
1616	wininit.exe
2468	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2468 svchost.exe

pid	process
2468	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exesvchost.exeKVEIF.jpgwininit.exe

description	pid	process
Token: SeDebugPrivilege	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2416	KVEIF.jpg
Token: SeDebugPrivilege	2416	KVEIF.jpg
Token: SeDebugPrivilege	2416	KVEIF.jpg
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.execmd.exeKVEIF.jpg

description	pid	process	target process
PID 1132 wrote to memory of 2468	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 1132 wrote to memory of 2468	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 1132 wrote to memory of 2468	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 1132 wrote to memory of 2468	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 1132 wrote to memory of 2468	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 1132 wrote to memory of 2468	1132	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 2920 wrote to memory of 2416	2920	cmd.exe	KVEIF.jpg
PID 2920 wrote to memory of 2416	2920	cmd.exe	KVEIF.jpg
PID 2920 wrote to memory of 2416	2920	cmd.exe	KVEIF.jpg
PID 2920 wrote to memory of 2416	2920	cmd.exe	KVEIF.jpg
PID 2416 wrote to memory of 1616	2416	KVEIF.jpg	wininit.exe
PID 2416 wrote to memory of 1616	2416	KVEIF.jpg	wininit.exe
PID 2416 wrote to memory of 1616	2416	KVEIF.jpg	wininit.exe
PID 2416 wrote to memory of 1616	2416	KVEIF.jpg	wininit.exe
PID 2416 wrote to memory of 1616	2416	KVEIF.jpg	wininit.exe
PID 2416 wrote to memory of 1616	2416	KVEIF.jpg	wininit.exe

C:\Users\Admin\AppData\Local\Temp\6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
"C:\Users\Admin\AppData\Local\Temp\6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2468

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\wininit.exe
    C:\Windows\System32\wininit.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD

Filesize
127KB

MD5
381c130271523eac02c41d632120761a

SHA1
462ae954fbf408914f87bbd4b47addf3d61558d0

SHA256
f33ad06dba9c3d3f3e307dd967e8afbaeb596fe72973d2bb891e713f3e9b11df

SHA512
7e68272821eba2155af68afc49bba253973ca98e1e932443ffc69e9888dea974116a8a368481e3923754297b362e888039347cb18c897358dab4af7699115e59

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD

Filesize
126KB

MD5
9dd88f8b9bef83ceb72199445da7958b

SHA1
9e3393ad86670b29583f5d780abfbce23c512818

SHA256
840e681882aa2df19bf2e47fab943aa5606316590a4045e34242f87ee5b7b2e4

SHA512
d593fbfac88600ae3c5c310c1f0aedb970e04b571987cda1f9025c53193fd45cd3bc6b23c0e6c35130c8682185ef9f2f794eb7bffa0006aae2d4b8740868db8a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFmain.ini

Filesize
711B

MD5
5b85700764c7f8ed2db3d99aba090ff3

SHA1
89521db8d1abb29e082628efdd23c547fa54ef44

SHA256
ade5e3636e8684f5845c18666a04a6b22d7a0f2631ea268a1aec910857c42e24

SHA512
00600e12dc1067eba53760eedfc4f408e88053a87462d55f01478887a9b4095138d471cc186684f0c14f4c2559da978e0ef3f78341910ecf1ca8caac9f67a642

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFss1.ini

Filesize
22B

MD5
2056c975629bc764596c2ba68ab3c6da

SHA1
35e3da93ce68d24c687e8c972f8fa2b903be75b8

SHA256
8485a6ec9ad79a1ed2331a428944711c4064f0c607017dae51c7e7f65fe70ff7

SHA512
c4d4932e81956578e505ac454d964ccd1d7d123e8393d532db15ba42e456ceff8394baba021e8ae7ae2f9aef0e51840aecef12252cf9c6766e8b247eb08e86ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\ok.txt

Filesize
104B

MD5
47a9c2c9870422eb89b3fa094493f277

SHA1
7d6e212b0ba438bc1bb6121634c57f8d0b0dd4c9

SHA256
b73847f7426f241f857e1dd3e61b2e8288f4735ff3e6d3d211fe1007d0e9bf2c

SHA512
011bf9a6302ab98c50489fb65bf6146aa4d9a43b854f6c752697e6066ba590d60b2c0a8f1e59cb08ce929fce85f3ea00a59faebafe0c02c4c103cd9fe63d835d

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg

Filesize
126KB

MD5
72d60916b573024c48db12571ffd00cf

SHA1
b79bca84db881f383ef50f93c8c394c2d59b9115

SHA256
781835504f05e2c45b3bacf39d77f337dfc7ad6cad0c622cc51789f94f47a0a6

SHA512
2b817091abe6dc5373cc18422bbbc0cc1466a2c9b9f409435e2ae0009f83362d13b0e5cd9f53b79554d8f27a724a8f2e93a4dc7c2b4472d50c1a4afcf9637fff

Download Submit
\Windows\SysWOW64\kernel64.dll

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/1132-21-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-32-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-25-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-23-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-13-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-19-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-17-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-29-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-33-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-7-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-31-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-27-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-2-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-11-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-9-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-5-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-15-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1132-3-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1616-173-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1616-220-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2468-89-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-79-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-97-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-95-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-93-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-91-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-85-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-83-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-81-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-99-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-78-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-101-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-88-0x0000000000130000-0x0000000000185000-memory.dmp

Filesize
340KB

Download
memory/2468-77-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2468-75-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2468-74-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2468-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2468-71-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2468-219-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2468-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download