1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
Size

133KB
MD5

c5257cac8a8fed3ce4b812ea4dff5b9b
SHA1

13784466cd007dce8134be7f72fbc9ee9fd833c1
SHA256

1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0
SHA512

bb473abbae378e30d5cf3961d5976e1b8cf528457fab1bc7fbdf9694d0587186c5a80c451a161780f2570227e6c310051374f8c84586e3ad1b87e1cc54f9790c
SSDEEP

3072:DEboFVlGAvwsgbpvYfMTc72L10fPsout6nnn:ABzsgbpvnTcyOPsoS6nnn

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 42 IoCs

resource	yara_rule
behavioral2/memory/1476-3-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-5-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-7-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-13-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-27-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-33-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-32-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-31-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-25-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-23-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-19-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-18-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-29-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-21-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-15-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-11-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-10-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/1476-2-0x00000000008E0000-0x0000000000935000-memory.dmp	UPX
behavioral2/memory/2228-96-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2228-99-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2228-100-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2228-101-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2228-106-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-110-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-124-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-130-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-128-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-126-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-122-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-120-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-118-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-116-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-114-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-112-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-108-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-104-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/memory/2228-103-0x0000000000C60000-0x0000000000CB5000-memory.dmp	UPX
behavioral2/files/0x0007000000023434-147.dat	UPX
behavioral2/files/0x000900000002342e-156.dat	UPX
behavioral2/memory/4852-195-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/2228-244-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4852-245-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2228	fontdrvhost.exe

Executes dropped EXE 1 IoCs

pid	Process
4520	KVEIF.jpg

Loads dropped DLL 4 IoCs

pid	Process
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
2228	fontdrvhost.exe
4520	KVEIF.jpg
4852	fontdrvhost.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1476-3-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-5-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-7-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-13-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-27-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-33-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-32-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-31-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-25-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-23-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-19-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-18-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-29-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-21-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-15-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-11-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-10-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/1476-2-0x00000000008E0000-0x0000000000935000-memory.dmp	upx
behavioral2/memory/2228-106-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-110-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-124-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-130-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-128-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-126-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-122-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-120-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-118-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-116-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-114-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-112-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-108-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-104-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx
behavioral2/memory/2228-103-0x0000000000C60000-0x0000000000CB5000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 2228	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe	84
PID 4520 set thread context of 4852	4520	KVEIF.jpg	91

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	fontdrvhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFss1.ini	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	fontdrvhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\$$.tmp	fontdrvhost.exe
File created	C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg	fontdrvhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA	KVEIF.jpg
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD	KVEIF.jpg
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\ok.txt	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs1.ini	fontdrvhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\web\606C646364636479.tmp	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
File opened for modification	C:\Windows\web\606C646364636479.tmp	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
2228	fontdrvhost.exe
4520	KVEIF.jpg
4520	KVEIF.jpg
4520	KVEIF.jpg
4520	KVEIF.jpg
4520	KVEIF.jpg
4520	KVEIF.jpg

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
Token: SeDebugPrivilege	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
Token: SeDebugPrivilege	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
Token: SeDebugPrivilege	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4520	KVEIF.jpg
Token: SeDebugPrivilege	4520	KVEIF.jpg
Token: SeDebugPrivilege	4520	KVEIF.jpg
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	4852	fontdrvhost.exe
Token: SeDebugPrivilege	2228	fontdrvhost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2228	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe	84
PID 1476 wrote to memory of 2228	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe	84
PID 1476 wrote to memory of 2228	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe	84
PID 1476 wrote to memory of 2228	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe	84
PID 1476 wrote to memory of 2228	1476	1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe	84
PID 540 wrote to memory of 4520	540	cmd.exe	89
PID 540 wrote to memory of 4520	540	cmd.exe	89
PID 540 wrote to memory of 4520	540	cmd.exe	89
PID 4520 wrote to memory of 4852	4520	KVEIF.jpg	91
PID 4520 wrote to memory of 4852	4520	KVEIF.jpg	91
PID 4520 wrote to memory of 4852	4520	KVEIF.jpg	91
PID 4520 wrote to memory of 4852	4520	KVEIF.jpg	91
PID 4520 wrote to memory of 4852	4520	KVEIF.jpg	91

C:\Users\Admin\AppData\Local\Temp\1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe
"C:\Users\Admin\AppData\Local\Temp\1a5626c7f5a40a9fafd824e9da842cafaa84694687787a7e9555d8f79fa6bca0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\fontdrvhost.exe
  C:\Windows\System32\fontdrvhost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2228

C:\Windows\system32\cmd.exe
cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg
  "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\fontdrvhost.exe
    C:\Windows\System32\fontdrvhost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 0
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD

Filesize
134KB

MD5
5cc3cde92040af699253c765f71a73ae

SHA1
ec7167f14e2c6acae74a8d0dfe2c60be31554778

SHA256
a0186924e1144dbe7a750042f3c9dacca5da53690c775602b2a72b262bdde0a5

SHA512
01d4aeb85fa3a45a7b36afaa6c5be84cb5e66b097a9c8a389bee9659b002cd1472395e6ad55920da0ea70e2c138acf7408817ae2a6cd4f95d3082f4e7d6bdb1f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg

Filesize
133KB

MD5
a2dedec1355a1aa1aead3b134c510641

SHA1
73c5e4914214a5cedbabcacac7d90ab643ca63c1

SHA256
8d7e53e6ba878bca27975a2b766c102b04dc54c594c126fb189bbb521cd9c2c5

SHA512
148e653484342cc48248218e8cfabae6c35a2d9ed1efab4a9fb21797bbbf6f20bec58919b1a2a724b39c2490c2b91b24ec2fd1536d7313f981c63db51c41a064

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFss1.ini

Filesize
22B

MD5
930acf89790980bda3854f8bd8dc44d6

SHA1
4033478772bd5b31cdbf85187ad30eb03a560f33

SHA256
34158e7ba9674f6eb03866767791fb29663241342a304cbc1286bdaf049269a6

SHA512
87752859deee77287cf49d0f54f92dee94f49b2ef3c4fd76ee0b573f1cd73b3b9b472ce4f83e8ae11a8b71aa1c0a802c72b87f7fd940a6b3ddce4d85ab68b7b8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\ok.txt

Filesize
104B

MD5
dbe34003e2586cfa3d7966fc9be6f6ac

SHA1
9b786a157326257382bbcc6af2eb46f4848cb7be

SHA256
bcacbd942f7f831d252fecab8d7cb0af1cf02bf17442665d1716d7939fd5c114

SHA512
2f20616ef28827b2cb96f48db8b48c5bf23eb8c9902e9354afe152f9010bd206ded9c7618f6ea34eda1e50e259b7292920c63f0c24dcf912af562f7d5e8d2a9a

Download Submit
C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg

Filesize
133KB

MD5
6aff283c8d8f3de11a8b0f0042e4b343

SHA1
beba868dce1b9838f012eff37b484205fd49ede9

SHA256
a859c860f86d69b9229327f47c0fb0476277ba87e54fd5c50e4c97c3e04cafc8

SHA512
6943172482f8cd61e85780e0d0a20f2cba2bd16c09ace4c8c0427f9bdef11363f7fbac5bf08910e150f4d0171df16f98760d0bbe382839a9f9fa7af557095cfa

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1C\KVEIFmain.ini

Filesize
1KB

MD5
cb3185f4004920dc15894dfa513ca631

SHA1
69df2baeb1b5f8cb1e0c74c8fcb67af4bc51df68

SHA256
fdd3bc8eadd52c12470250c0dc945494cdec8de67eb38be001b60232ff06b32e

SHA512
a3e59e97ccfb68c7b561c467373686f52ab599ad69a58537be49a3dca8c50dda4e32cfe85d1fade41397a50ba452b48e7536b79e62c8dbe07d9e0c80f1ae6d5f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1C\KVEIFmain.ini

Filesize
1KB

MD5
980fd7abb3770e400e5bdc29385d8601

SHA1
12921ebf12f0144f116383623b51eaba00b63b36

SHA256
61d47892aa3acd120ceff23822e1bf7f110e0b808ec39fcd2718019556d10b26

SHA512
8beda2a0093a75a92e88af20d98e42ebe51027e39273739f6379bb670f7d9e92c4116bee8544aa7d47f5e531367351b5d1b3e71aa9da40f06653e3179248b83b

Download Submit
C:\Windows\SysWOW64\kernel64.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Windows\Web\606C646364636479.tmp

Filesize
108KB

MD5
f697e0c5c1d34f00d1700d6d549d4811

SHA1
f50a99377a7419185fc269bb4d12954ca42b8589

SHA256
1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

SHA512
d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

Download Submit
memory/1476-18-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-2-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-19-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-25-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-29-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-21-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-15-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-11-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-10-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-23-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-31-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-32-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-33-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-27-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-13-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-3-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-7-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/1476-5-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/2228-100-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-114-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-130-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-110-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-106-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-128-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-126-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-122-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-120-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-118-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-116-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-124-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-112-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-108-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-104-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-103-0x0000000000C60000-0x0000000000CB5000-memory.dmp

Filesize
340KB

Download
memory/2228-101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-99-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-96-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-244-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4852-195-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4852-245-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download