Resubmissions
13/06/2024, 06:10
240613-gxea3sxamg 8Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 06:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
Resource
win7-20240611-en
windows7-x64
11 signatures
300 seconds
Behavioral task
behavioral2
Sample
e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
16 signatures
300 seconds
General
-
Target
e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
-
Size
223KB
-
MD5
3955af54fbac1e43c945f447d92e4108
-
SHA1
53c5552c3649619e4e8c6a907b94573f47130fa4
-
SHA256
e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16
-
SHA512
fa028a040a5f075296aebab7f63a59b6cbba32ee0964dfc08768396cc012ff5d861191e2478914d79d4a424c3bba110505a58b97376c44c716f0b1ea70551037
-
SSDEEP
3072:tneBqhy5aVLOwqI8sgwoEHXfwaNUM+/ORSs5G2Ms4f6TFZbhgvbUxzJ8Y:tETlsgOfDt+/V6JQO98
Score
8/10
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Possible privilege escalation attempt 2 IoCs
pid Process 3836 takeown.exe 2352 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe -
Executes dropped EXE 2 IoCs
pid Process 3124 wmpnetwk.exe 1632 wmixedwk.exe -
Loads dropped DLL 2 IoCs
pid Process 3124 wmpnetwk.exe 1632 wmixedwk.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 3836 takeown.exe 2352 icacls.exe -
resource yara_rule behavioral2/memory/3832-74-0x0000000140000000-0x0000000140138000-memory.dmp upx behavioral2/memory/3832-77-0x0000000140000000-0x0000000140138000-memory.dmp upx behavioral2/memory/3784-91-0x0000000140000000-0x000000014011B000-memory.dmp upx behavioral2/memory/3784-90-0x0000000140000000-0x000000014011B000-memory.dmp upx behavioral2/memory/3832-78-0x0000000140000000-0x0000000140138000-memory.dmp upx behavioral2/memory/3832-75-0x0000000140000000-0x0000000140138000-memory.dmp upx behavioral2/memory/3832-73-0x0000000140000000-0x0000000140138000-memory.dmp upx -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\3832.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\3312.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1912.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\4972.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1636.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\2876.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1704.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1532.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\3784.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\5064.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1916.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\3412.hecate svchost.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 1632 set thread context of 4344 1632 wmixedwk.exe 92 PID 4344 set thread context of 3832 4344 svchost.exe 93 PID 4344 set thread context of 4720 4344 svchost.exe 94 PID 4344 set thread context of 3784 4344 svchost.exe 95 PID 4344 set thread context of 5064 4344 svchost.exe 107 PID 4344 set thread context of 1916 4344 svchost.exe 109 PID 4344 set thread context of 3312 4344 svchost.exe 110 PID 4344 set thread context of 3412 4344 svchost.exe 111 PID 4344 set thread context of 1912 4344 svchost.exe 112 PID 4344 set thread context of 1636 4344 svchost.exe 113 PID 4344 set thread context of 2876 4344 svchost.exe 114 PID 4344 set thread context of 4972 4344 svchost.exe 115 PID 4344 set thread context of 1704 4344 svchost.exe 116 PID 4344 set thread context of 1532 4344 svchost.exe 117 -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\wmixedwk.exe e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe File opened for modification C:\Program Files\Windows Media Player\mpsvc.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpa svchost.exe File created C:\Program Files\Windows Media Player\down_info svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File created C:\Program Files\Windows Media Player\wmpnetwk.exe e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxds svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpp svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File created C:\Program Files\Windows Media Player\background.jpg e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe File created C:\Program Files\Windows Media Player\mpsvc.dll e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe File opened for modification C:\Program Files\Windows Media Player\wmixedwk.exe e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2032 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8b67a8258bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7381f8358bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cc8ac8258bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3686c8258bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f404898258bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008da3678258bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0eed28258bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2a2868258bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1792 PING.EXE -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3836 takeown.exe Token: 33 5084 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5084 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 744 2120 e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe 85 PID 2120 wrote to memory of 744 2120 e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe 85 PID 744 wrote to memory of 3836 744 cmd.exe 87 PID 744 wrote to memory of 3836 744 cmd.exe 87 PID 744 wrote to memory of 2352 744 cmd.exe 88 PID 744 wrote to memory of 2352 744 cmd.exe 88 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 1632 wrote to memory of 4344 1632 wmixedwk.exe 92 PID 4344 wrote to memory of 3832 4344 svchost.exe 93 PID 4344 wrote to memory of 3832 4344 svchost.exe 93 PID 4344 wrote to memory of 3832 4344 svchost.exe 93 PID 4344 wrote to memory of 3832 4344 svchost.exe 93 PID 4344 wrote to memory of 3832 4344 svchost.exe 93 PID 4344 wrote to memory of 3832 4344 svchost.exe 93 PID 4344 wrote to memory of 3832 4344 svchost.exe 93 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 4720 4344 svchost.exe 94 PID 4344 wrote to memory of 3784 4344 svchost.exe 95 PID 4344 wrote to memory of 3784 4344 svchost.exe 95 PID 4344 wrote to memory of 3784 4344 svchost.exe 95 PID 4344 wrote to memory of 3784 4344 svchost.exe 95 PID 4344 wrote to memory of 3784 4344 svchost.exe 95 PID 4344 wrote to memory of 3784 4344 svchost.exe 95 PID 4344 wrote to memory of 3784 4344 svchost.exe 95 PID 2120 wrote to memory of 1164 2120 e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe 96 PID 2120 wrote to memory of 1164 2120 e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe 96 PID 2120 wrote to memory of 2468 2120 e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe 98 PID 2120 wrote to memory of 2468 2120 e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe 98 PID 1164 wrote to memory of 2032 1164 cmd.exe 100 PID 1164 wrote to memory of 2032 1164 cmd.exe 100 PID 2468 wrote to memory of 1792 2468 cmd.exe 101 PID 2468 wrote to memory of 1792 2468 cmd.exe 101 PID 5084 wrote to memory of 4584 5084 SearchIndexer.exe 102 PID 5084 wrote to memory of 4584 5084 SearchIndexer.exe 102 PID 5084 wrote to memory of 1508 5084 SearchIndexer.exe 103 PID 5084 wrote to memory of 1508 5084 SearchIndexer.exe 103 PID 4344 wrote to memory of 5064 4344 svchost.exe 107 PID 4344 wrote to memory of 5064 4344 svchost.exe 107 PID 4344 wrote to memory of 5064 4344 svchost.exe 107 PID 4344 wrote to memory of 5064 4344 svchost.exe 107 PID 4344 wrote to memory of 5064 4344 svchost.exe 107 PID 4344 wrote to memory of 5064 4344 svchost.exe 107 PID 4344 wrote to memory of 5064 4344 svchost.exe 107 PID 4344 wrote to memory of 1916 4344 svchost.exe 109 PID 4344 wrote to memory of 1916 4344 svchost.exe 109 PID 4344 wrote to memory of 1916 4344 svchost.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own2⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\sc.exesc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own3⤵
- Launches sc.exe
PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:1792
-
-
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4584
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1508
-
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3124
-
C:\Program Files\Windows Media Player\wmixedwk.exe"C:\Program Files\Windows Media Player\wmixedwk.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3832
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:4720
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3784
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5064
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1916
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3312
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3412
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1912
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1636
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2876
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4972
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1704
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b37c3d3ab20f7e8a06232330122d1ed7
SHA16daa977d591b1cbb1ecde9fd82e14287a284bdd2
SHA256e796f0d6d6960af232a1b8f039cd45a703c1743dfd6f4098cdde0a46a69e33a2
SHA512da26eee1e9f1d594f2f4604838b66dac95db29373a59e347b1cf31022eb0040f5a9ebdd50c12f4af1dbbfd7c5bae20f3937cbdd8016e441d8822f9f86d03e5bb
-
Filesize
4B
MD5e9257036daf20f062a498aab563d7712
SHA1dc3c03160a963f53d408a0ed65f17901fe7ad6b8
SHA25642a8d10424653fc26a1319a0c7f84ea30f43c8a009e7d99fcd9e8151332bdcf3
SHA5121c65067b8b023e634437d5d64bb370521d26d00ea9cd2523671f6bed1c54cd510b0b962d987ebd89cf38fc4617cf01ff8c9669b2168e6719ed19a0a26ac05ac1
-
Filesize
126KB
MD57b207ce9f9d71dfc2eaa2e959634a54d
SHA18222daa0c820e50d02ffabdc55dfb7461bbaa1e5
SHA256757af7a540628004b446117be432342674f7830fa008f97a5f4a1ac386954bc2
SHA5126ffbe6e33768e2fbea8c7cee428eb4b61e3eb1dd12e470de363f1d6e274296adabc8d1e681fe5a5f2b1dc8e8eb08bd360572bfd34706e82580c51be57f6fcf5a
-
Filesize
23KB
MD590b85ffbdeead1be861d59134ea985b0
SHA155e9859aa7dba87678e7c529b571fdf6b7181339
SHA256ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2
SHA5128a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce
-
Filesize
53KB
MD56bbeb71119422f08d999c7551e295480
SHA133e035d5936ba1568042143ad5be1a58f6b9e413
SHA256b796efa9a01b9339de98535ad18a2f23c69f98185546f418c4509e0b0b95264a
SHA512f818845f26951db462427ad04c506abb7827b167908392dff5e79b35826b2507b7319b6b970bb0cec54aa4955999a241a9cf8df63ac491ad2d8aa036859f10ba
-
Filesize
135B
MD544a3af72a2e7efad7f05b5b264f2b133
SHA1cfd7c8451a0c6e8123328b18f96bec50d04b50ab
SHA256471ff503db8bd1d39701d587ec4f2d3c97c2843a53e812fe726c970f7306fbb4
SHA5123d2009c7d4b82fd970ced78fe97b0d5ed08ca7a33480969deb5345195e50877e5efe8f80eeca86c63c5f87cc3779f7f9aba47eb1cca1c29656cb4f74bfd4e14a
