Analysis Overview
SHA256
e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16
Threat Level: Likely malicious
The file e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Creates new service(s)
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Deletes itself
Executes dropped EXE
UPX packed file
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-24 02:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 02:17
Reported
2024-05-24 02:22
Platform
win10v2004-20240508-en
Max time kernel
299s
Max time network
299s
Command Line
Signatures
Creates new service(s)
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\3596.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\812.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4944.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\1596.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\3172.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\5112.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2284.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4076.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\info | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2852.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4748.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\1732.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2388.hecate | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\background.jpg | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File created | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\mpsvc.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxds | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpp | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpa | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\mpsvc.dll | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\yzzg | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b5df69380adda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041c2ba9380adda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054aec69380adda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a7d989480adda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
"C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\sc.exe
sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sta.alie3ksgee.com | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.158.146.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cl.alie3ksgff.com | udp |
| US | 8.8.8.8:53 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 161.14.108.182.in-addr.arpa | udp |
| US | 149.28.212.217:6666 | cl.alie3ksgff.com | udp |
| US | 8.8.8.8:53 | 217.212.28.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
| CN | 182.108.14.161:6666 | myxqbh.top | udp |
Files
memory/1144-0-0x00007FF989C10000-0x00007FF989C32000-memory.dmp
memory/1144-3-0x0000025CA9880000-0x0000025CA98AC000-memory.dmp
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 90b85ffbdeead1be861d59134ea985b0 |
| SHA1 | 55e9859aa7dba87678e7c529b571fdf6b7181339 |
| SHA256 | ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2 |
| SHA512 | 8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce |
memory/4908-18-0x000001F961B60000-0x000001F961B70000-memory.dmp
memory/4908-34-0x000001F961E00000-0x000001F961E10000-memory.dmp
memory/4908-50-0x000001F966150000-0x000001F966158000-memory.dmp
C:\Program Files\Windows Media Player\mpsvc.dll
| MD5 | 7b207ce9f9d71dfc2eaa2e959634a54d |
| SHA1 | 8222daa0c820e50d02ffabdc55dfb7461bbaa1e5 |
| SHA256 | 757af7a540628004b446117be432342674f7830fa008f97a5f4a1ac386954bc2 |
| SHA512 | 6ffbe6e33768e2fbea8c7cee428eb4b61e3eb1dd12e470de363f1d6e274296adabc8d1e681fe5a5f2b1dc8e8eb08bd360572bfd34706e82580c51be57f6fcf5a |
C:\Program Files\Windows Media Player\background.jpg
| MD5 | e37e46d9eb3834d3e8845166e1828568 |
| SHA1 | a875d07db50b10131a5c3675501de2d805e742a1 |
| SHA256 | 9f8f9457950e10770f96239f3fbcc35239b3459456c992b51a80c50d257acb36 |
| SHA512 | 7b95e1e861bece9b5cb7205b52edbe2230b883e76c8188c41107a116e987f122e80a5299c595a692127e42663fddedd27df9074f70b1836d6c305e855bce2021 |
memory/4900-68-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2284-79-0x0000000140000000-0x000000014011B000-memory.dmp
memory/2284-90-0x000002D778E20000-0x000002D778ED6000-memory.dmp
memory/2284-85-0x000002D778E00000-0x000002D778E1F000-memory.dmp
memory/2284-84-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2284-83-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2284-80-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2284-78-0x0000000140000000-0x000000014011B000-memory.dmp
C:\kkxqbh.bat
| MD5 | 44a3af72a2e7efad7f05b5b264f2b133 |
| SHA1 | cfd7c8451a0c6e8123328b18f96bec50d04b50ab |
| SHA256 | 471ff503db8bd1d39701d587ec4f2d3c97c2843a53e812fe726c970f7306fbb4 |
| SHA512 | 3d2009c7d4b82fd970ced78fe97b0d5ed08ca7a33480969deb5345195e50877e5efe8f80eeca86c63c5f87cc3779f7f9aba47eb1cca1c29656cb4f74bfd4e14a |
memory/2284-76-0x0000000140000000-0x000000014011B000-memory.dmp
memory/2284-75-0x0000000140000000-0x000000014011B000-memory.dmp
memory/2284-74-0x0000000140000000-0x000000014011B000-memory.dmp
memory/4900-71-0x0000000140000000-0x0000000140026000-memory.dmp
memory/4900-70-0x0000000140000000-0x0000000140026000-memory.dmp
memory/4900-67-0x0000000140000000-0x0000000140026000-memory.dmp
memory/4900-66-0x0000000140000000-0x0000000140026000-memory.dmp
memory/4900-65-0x0000000140000000-0x0000000140026000-memory.dmp
memory/4900-64-0x0000000140000000-0x0000000140026000-memory.dmp
memory/4900-63-0x0000000140000000-0x0000000140026000-memory.dmp
memory/4900-62-0x0000000140000000-0x0000000140026000-memory.dmp
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
| MD5 | d39122bc111a1013fbaf9380fcc34ce8 |
| SHA1 | fb61a7dfe577a4eee6521f8ca524455dbc3ad189 |
| SHA256 | 32666d8a3a86a99caf875c7d067b8573b56534e25da8c5dea3271b492ae0a78a |
| SHA512 | 806df4b5617252fec2ab4b4dc9415be4f9f09a3f362437f05ef9996895b343c63be4bb2575a72830e34310260dadbe2834dec372bf9c3d5ad0232902cf5ecf84 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 02:17
Reported
2024-05-24 02:22
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Creates new service(s)
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Media Player\background.jpg | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File created | C:\Program Files\Windows Media Player\mpsvc.dll | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File created | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File created | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
"C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
C:\Windows\system32\cmd.exe
cmd /c ""C:\kkxqbh.bat" "
C:\Windows\system32\sc.exe
sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sta.alie3ksgee.com | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
Files
memory/1044-0-0x000000013F89D000-0x000000013F89F000-memory.dmp
memory/1044-4-0x0000000002440000-0x000000000246C000-memory.dmp
memory/1044-5-0x000000013F890000-0x000000013F8CC000-memory.dmp
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 90b85ffbdeead1be861d59134ea985b0 |
| SHA1 | 55e9859aa7dba87678e7c529b571fdf6b7181339 |
| SHA256 | ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2 |
| SHA512 | 8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce |
C:\kkxqbh.bat
| MD5 | 44a3af72a2e7efad7f05b5b264f2b133 |
| SHA1 | cfd7c8451a0c6e8123328b18f96bec50d04b50ab |
| SHA256 | 471ff503db8bd1d39701d587ec4f2d3c97c2843a53e812fe726c970f7306fbb4 |
| SHA512 | 3d2009c7d4b82fd970ced78fe97b0d5ed08ca7a33480969deb5345195e50877e5efe8f80eeca86c63c5f87cc3779f7f9aba47eb1cca1c29656cb4f74bfd4e14a |
memory/1044-27-0x0000000002440000-0x000000000246C000-memory.dmp