6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Size

126KB
MD5

20a354f57449946583a4e43f92aa1114
SHA1

a00a5ef977a06243a54cc437fe3c831eda4e7ff1
SHA256

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362
SHA512

954eb745f50525b1e50f0dc32106867a0c4af4bffcaf341e1eabdae294a7471ea26b0a87848b0c68cb2aad0aa90d976d15cfb3db7cfeecf4e322acbe9782dab9
SSDEEP

3072:1EboFVlGAvwsgbpvYfMTc72L10fPsout6S:qBzsgbpvnTcyOPsoS6S

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 42 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3756-11-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-13-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-10-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-27-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-33-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-32-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-31-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-15-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-25-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-23-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-21-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-19-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-17-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-29-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-8-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-5-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-4-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/3756-2-0x00000000005B0000-0x0000000000605000-memory.dmp	UPX
behavioral2/memory/1580-96-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1580-99-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1580-100-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1580-101-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1580-112-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-124-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-130-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-128-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-126-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-122-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-116-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-114-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-120-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-118-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-110-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-108-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-106-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-104-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
behavioral2/memory/1580-103-0x00000000032F0000-0x0000000003345000-memory.dmp	UPX
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1E\1D11D1E123.IMD	UPX
C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	UPX
behavioral2/memory/4580-195-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1580-244-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4580-245-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1580 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

KVEIF.jpg

pid process

1108 KVEIF.jpg
Loads dropped DLL 4 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exesvchost.exeKVEIF.jpgsvchost.exe

pid process

3756 6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
1580 svchost.exe
1108 KVEIF.jpg
4580 svchost.exe

pid	process
1580	svchost.exe

pid	process
1108	KVEIF.jpg

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3756-11-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-13-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-10-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-27-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-33-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-32-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-31-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-15-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-25-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-23-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-21-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-19-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-17-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-29-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-8-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-5-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-4-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/3756-2-0x00000000005B0000-0x0000000000605000-memory.dmp	upx
behavioral2/memory/1580-112-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-124-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-130-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-128-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-126-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-122-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-116-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-114-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-120-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-118-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-110-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-108-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-106-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-104-0x00000000032F0000-0x0000000003345000-memory.dmp	upx
behavioral2/memory/1580-103-0x00000000032F0000-0x0000000003345000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

description	ioc	process
File created	C:\Windows\SysWOW64\kernel64.dll	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exeKVEIF.jpg

description	pid	process	target process
PID 3756 set thread context of 1580	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 1108 set thread context of 4580	1108	KVEIF.jpg	svchost.exe

Drops file in Program Files directory 23 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exesvchost.exesvchost.exeKVEIF.jpg

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFmain.ini	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFmain.ini	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\$$.tmp	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFss1.ini	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File created	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\ok.txt	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs1.ini	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIF.jpg	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFs5.ini	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

description	ioc	process
File created	C:\Windows\web\606C646364636479.tmp	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exesvchost.exeKVEIF.jpg

pid	process
3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1580	svchost.exe
1108	KVEIF.jpg
1108	KVEIF.jpg
1108	KVEIF.jpg
1108	KVEIF.jpg
1108	KVEIF.jpg
1108	KVEIF.jpg

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1580 svchost.exe

pid	process
1580	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exesvchost.exeKVEIF.jpgsvchost.exe

description	pid	process
Token: SeDebugPrivilege	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1108	KVEIF.jpg
Token: SeDebugPrivilege	1108	KVEIF.jpg
Token: SeDebugPrivilege	1108	KVEIF.jpg
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	4580	svchost.exe
Token: SeDebugPrivilege	1580	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.execmd.exeKVEIF.jpg

description	pid	process	target process
PID 3756 wrote to memory of 1580	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 3756 wrote to memory of 1580	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 3756 wrote to memory of 1580	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 3756 wrote to memory of 1580	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 3756 wrote to memory of 1580	3756	6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe	svchost.exe
PID 2488 wrote to memory of 1108	2488	cmd.exe	KVEIF.jpg
PID 2488 wrote to memory of 1108	2488	cmd.exe	KVEIF.jpg
PID 2488 wrote to memory of 1108	2488	cmd.exe	KVEIF.jpg
PID 1108 wrote to memory of 4580	1108	KVEIF.jpg	svchost.exe
PID 1108 wrote to memory of 4580	1108	KVEIF.jpg	svchost.exe
PID 1108 wrote to memory of 4580	1108	KVEIF.jpg	svchost.exe
PID 1108 wrote to memory of 4580	1108	KVEIF.jpg	svchost.exe
PID 1108 wrote to memory of 4580	1108	KVEIF.jpg	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe
"C:\Users\Admin\AppData\Local\Temp\6a987139d9ec2ab82bb4d9fdc8276df209ed94e35f2d203a0fa6ad7b28a03362.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1580

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530445D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\1D11D1E123.IMD

Filesize
127KB

MD5
0d33dac12cb3bd2f0e942203824313b6

SHA1
39cfaf501c69629214b4200b3c7664c08af601ef

SHA256
cff63c9bce27dfc348f79f48da527ca06cd1f022bc95fb6d94292b9442df2b1e

SHA512
79e8822effdb4fcd2f13b651df15c914238957492191b605597e30b42bf1fdd19757f0374e27258d3b1cf4ab34f6332f06f417d37e700c6ff53908ec61c034d8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\KVEIFss1.ini

Filesize
22B

MD5
2056c975629bc764596c2ba68ab3c6da

SHA1
35e3da93ce68d24c687e8c972f8fa2b903be75b8

SHA256
8485a6ec9ad79a1ed2331a428944711c4064f0c607017dae51c7e7f65fe70ff7

SHA512
c4d4932e81956578e505ac454d964ccd1d7d123e8393d532db15ba42e456ceff8394baba021e8ae7ae2f9aef0e51840aecef12252cf9c6766e8b247eb08e86ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1E\ok.txt

Filesize
104B

MD5
47a9c2c9870422eb89b3fa094493f277

SHA1
7d6e212b0ba438bc1bb6121634c57f8d0b0dd4c9

SHA256
b73847f7426f241f857e1dd3e61b2e8288f4735ff3e6d3d211fe1007d0e9bf2c

SHA512
011bf9a6302ab98c50489fb65bf6146aa4d9a43b854f6c752697e6066ba590d60b2c0a8f1e59cb08ce929fce85f3ea00a59faebafe0c02c4c103cd9fe63d835d

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1E\KVEIF.jpg

Filesize
126KB

MD5
1a6b2bcf4c1dfa0ce10533f825c7ab66

SHA1
3f46df1ff45c74ba82cc0c7c65fb602aca8fd419

SHA256
0f36aad8eb6a7a30a2f90bb6c8c84d79996d9730ae6674c287b04ffc6e669516

SHA512
ffc829c324d863716ddecd1f1c68510eac4181da91fba3b4874cf0bb39003bff72f4cef29e545db490a8ad2eb0aee9e1658b937afe94520d54562eae0b6de723

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1E\1D11D1E123.IMD

Filesize
126KB

MD5
3e7c07b0c9d38cbbbf6fae3cdc048933

SHA1
76274b607dc3ae51d94e2d41a0c5414219387513

SHA256
a0bd183d95603bb0e7adda08e5aa149249ecd86f5e1461896b9e5aaf2efec48f

SHA512
ed1835ccad557130b42ebe17fe91d4eb34b02a2d919332f6764eafe1d85f5024c4a4ce70377408344a2f4e5f4ea4ace56426e80390b14262f3cf43ed1ea007fb

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1E\KVEIFmain.ini

Filesize
1KB

MD5
c545aefc0180b2ae5f71d345b9b439e3

SHA1
235ce16ad997098f6eeee4e684e20c92706b48a6

SHA256
4741874e4fc78599e2ce06cad2219064aaca4939f0c3081b9e31e05ba4186a62

SHA512
7eec6e573019cc0cbda14d6fb3ce014538e05f99c1a94936deb82d4e4a7bcdb7cf3291cb0dea00da9d29b2ad37f4134cd7be597376e16710de3adc5088e4192f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1E\KVEIFmain.ini

Filesize
1KB

MD5
e7eb235ef38023586f9dadb939b1cbfc

SHA1
389de59fd4faea0370752a204b4061cbcc3afc66

SHA256
1c1d44ef048b9d15729ed8477e4e7050b2504e6e2b03059f4918ab5fbc4d9eb0

SHA512
820d7b2aab01d6ee804c4806346e03a2520bd590abe773096869c3be1bdee215d3a95ca17666b1527655da2184f374613d19ce8d752d9112d3d64ff5571e57c4

Download Submit
C:\Windows\SysWOW64\kernel64.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Windows\Web\606C646364636479.tmp

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
memory/1580-120-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-118-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-244-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1580-103-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-104-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-106-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-108-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-110-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-114-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-116-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-122-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-126-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-128-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-96-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1580-99-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1580-100-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1580-101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1580-112-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-124-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/1580-130-0x00000000032F0000-0x0000000003345000-memory.dmp

Filesize
340KB

Download
memory/3756-8-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-19-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-31-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-15-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-25-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-2-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-4-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-32-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-23-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-21-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-11-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-29-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-17-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-33-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-27-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-10-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-13-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/3756-5-0x00000000005B0000-0x0000000000605000-memory.dmp

Filesize
340KB

Download
memory/4580-195-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4580-245-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download