f002b13244b92b9ed811eac6459290dc38ba481dc2d4263435d388ca713597a7

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5c6595b4241db348a7ab514d4ca2160N.exe
Size

191KB
MD5

b5c6595b4241db348a7ab514d4ca2160
SHA1

0467bbc3f97787708906ffd5a87aee92982e7c4d
SHA256

f002b13244b92b9ed811eac6459290dc38ba481dc2d4263435d388ca713597a7
SHA512

6edafb652869cf40aa13765a04fce5c5a340f5d3c10fc18a9ee386786024512d6affe42c1953fca4edbfd70fd431f24afb47a30ef9a1f61c0a53fdee9f8ef19d
SSDEEP

3072:PAKEsYqqjfipJWYpWJZfGXFxUYyaJC6sOMD5Qjj9jRMKSlJ8subptbbG+X:oKE+qjfipJWYpWJZfGXFRJJRsOM9+j5L

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2236	nphc32.exe
2784	nphc32.exe
380	nphc32.exe
700	nphc32.exe
2408	nphc32.exe
804	nphc32.exe
2540	cwrss.exe

Loads dropped DLL 11 IoCs

pid	Process
3032	b5c6595b4241db348a7ab514d4ca2160N.exe
3032	b5c6595b4241db348a7ab514d4ca2160N.exe
3032	b5c6595b4241db348a7ab514d4ca2160N.exe
3032	b5c6595b4241db348a7ab514d4ca2160N.exe
2784	nphc32.exe
2236	nphc32.exe
2236	nphc32.exe
380	nphc32.exe
380	nphc32.exe
804	nphc32.exe
804	nphc32.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	nphc32.exe
File opened (read-only)	\??\T:	nphc32.exe
File opened (read-only)	\??\L:	cwrss.exe
File opened (read-only)	\??\p:	nphc32.exe
File opened (read-only)	\??\S:	nphc32.exe
File opened (read-only)	\??\U:	nphc32.exe
File opened (read-only)	\??\V:	nphc32.exe
File opened (read-only)	\??\N:	nphc32.exe
File opened (read-only)	\??\H:	nphc32.exe
File opened (read-only)	\??\H:	nphc32.exe
File opened (read-only)	\??\I:	nphc32.exe
File opened (read-only)	\??\E:	cwrss.exe
File opened (read-only)	\??\t:	cwrss.exe
File opened (read-only)	\??\A:	nphc32.exe
File opened (read-only)	\??\L:	nphc32.exe
File opened (read-only)	\??\Q:	nphc32.exe
File opened (read-only)	\??\p:	nphc32.exe
File opened (read-only)	\??\q:	nphc32.exe
File opened (read-only)	\??\q:	nphc32.exe
File opened (read-only)	\??\H:	nphc32.exe
File opened (read-only)	\??\I:	nphc32.exe
File opened (read-only)	\??\U:	nphc32.exe
File opened (read-only)	\??\T:	nphc32.exe
File opened (read-only)	\??\m:	nphc32.exe
File opened (read-only)	\??\p:	cwrss.exe
File opened (read-only)	\??\L:	nphc32.exe
File opened (read-only)	\??\Y:	nphc32.exe
File opened (read-only)	\??\K:	nphc32.exe
File opened (read-only)	\??\L:	nphc32.exe
File opened (read-only)	\??\g:	cwrss.exe
File opened (read-only)	\??\I:	nphc32.exe
File opened (read-only)	\??\h:	nphc32.exe
File opened (read-only)	\??\M:	b5c6595b4241db348a7ab514d4ca2160N.exe
File opened (read-only)	\??\Z:	nphc32.exe
File opened (read-only)	\??\v:	nphc32.exe
File opened (read-only)	\??\r:	nphc32.exe
File opened (read-only)	\??\y:	cwrss.exe
File opened (read-only)	\??\A:	b5c6595b4241db348a7ab514d4ca2160N.exe
File opened (read-only)	\??\Z:	nphc32.exe
File opened (read-only)	\??\M:	nphc32.exe
File opened (read-only)	\??\i:	cwrss.exe
File opened (read-only)	\??\Q:	nphc32.exe
File opened (read-only)	\??\Z:	nphc32.exe
File opened (read-only)	\??\A:	nphc32.exe
File opened (read-only)	\??\b:	cwrss.exe
File opened (read-only)	\??\x:	nphc32.exe
File opened (read-only)	\??\R:	b5c6595b4241db348a7ab514d4ca2160N.exe
File opened (read-only)	\??\k:	nphc32.exe
File opened (read-only)	\??\N:	cwrss.exe
File opened (read-only)	\??\S:	cwrss.exe
File opened (read-only)	\??\k:	nphc32.exe
File opened (read-only)	\??\B:	nphc32.exe
File opened (read-only)	\??\K:	nphc32.exe
File opened (read-only)	\??\X:	nphc32.exe
File opened (read-only)	\??\K:	cwrss.exe
File opened (read-only)	\??\X:	cwrss.exe
File opened (read-only)	\??\u:	nphc32.exe
File opened (read-only)	\??\n:	nphc32.exe
File opened (read-only)	\??\q:	cwrss.exe
File opened (read-only)	\??\H:	b5c6595b4241db348a7ab514d4ca2160N.exe
File opened (read-only)	\??\V:	nphc32.exe
File opened (read-only)	\??\J:	nphc32.exe
File opened (read-only)	\??\J:	nphc32.exe
File opened (read-only)	\??\W:	nphc32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com

Maps connected drives based on registry 3 TTPs 16 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nphc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nphc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nphc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nphc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b5c6595b4241db348a7ab514d4ca2160N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nphc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nphc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	b5c6595b4241db348a7ab514d4ca2160N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nphc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cwrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cwrss.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\WT4YH9WJ.txt	cwrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\WT4YH9WJ.txt	cwrss.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STDB3S81.txt	cwrss.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5c6595b4241db348a7ab514d4ca2160N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nphc32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 30380cf20ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = f0efe7cb0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = b02874ce0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 300960cd0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000024000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000025000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000002a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000081000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = f0b554f30ee0da01	cwrss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = 50d818cb0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000027000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000003e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000044000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecision = "0"	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000012000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000005b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = f0effdf10ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = 505100f20ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000077000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000007e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = f002c4cd0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = d065f6df0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = f04441e10ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 70c276cc0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = f089fddf0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000066000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000007a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 905452f30ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = 107ae4ca0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000026000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000031000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 10ae04e00ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000028000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = 50f3bdce0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = b00746e10ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = 707507f20ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = b041e4cc0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000038000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000048000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000005e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecision = "0"	cwrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadNetworkName = "Network 3"	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = 906299cb0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 30dd13cd0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 103df1cd0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = d09481cb0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = f04441e10ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 106948e10ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1D67307-D9C1-427A-9D38-CAAC2ABF5633}\WpadDecisionTime = 10a3e6cc0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000007d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = d0914df30ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = d0cbe0cb0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 9099f8cb0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000023000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000057000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 700ffccc0ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = b04c02e00ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 30f34ff30ee0da01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-aa-a9-46-05-c1\WpadDecisionTime = 30c7f8df0ee0da01	cwrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cwrss.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\open\command	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon\ = "%1"	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\wups\shell\open\command	b5c6595b4241db348a7ab514d4ca2160N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ole32\\nphc32.exe\" 1 /START \"%1\" %*"	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command	nphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\DefaultIcon\ = "%1"	nphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\open\command\ = "\"C:\\ProgramData\\Ole32\\nphc32.exe\" /START \"%1\" %*"	nphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\runas	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\shell\open\command\IsolatedCommand = "\"%1\" %*"	nphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\DefaultIcon\ = "%1"	b5c6595b4241db348a7ab514d4ca2160N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\open\command	b5c6595b4241db348a7ab514d4ca2160N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	b5c6595b4241db348a7ab514d4ca2160N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command	nphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	b5c6595b4241db348a7ab514d4ca2160N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	b5c6595b4241db348a7ab514d4ca2160N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	b5c6595b4241db348a7ab514d4ca2160N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	b5c6595b4241db348a7ab514d4ca2160N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\shell\runas\command\ = "\"%1\" %*"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\ = "stat32"	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon\ = "%1"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ole32\\nphc32.exe\" 1 /START \"%1\" %*"	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\ = "stat32"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\ = "stat32"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	b5c6595b4241db348a7ab514d4ca2160N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\stat32\shell\runas\command	nphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\Ole32\\nphc32.exe\" /START \"%1\" %*"	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\Content-Type = "application/x-msdownload"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\shell\open\command\IsolatedCommand = "\"%1\" %*"	nphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\Content-Type = "application/x-msdownload"	b5c6595b4241db348a7ab514d4ca2160N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\open\command\IsolatedCommand = "\"%1\" %*"	b5c6595b4241db348a7ab514d4ca2160N.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon	nphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	b5c6595b4241db348a7ab514d4ca2160N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\DefaultIcon\ = "%1"	nphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	b5c6595b4241db348a7ab514d4ca2160N.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	b5c6595b4241db348a7ab514d4ca2160N.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe	nphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\runas\command	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon	nphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	b5c6595b4241db348a7ab514d4ca2160N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\stat32\shell\open\command	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\Content-Type = "application/x-msdownload"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\shell\runas\command\ = "\"%1\" %*"	nphc32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\stat32	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	nphc32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32	nphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell	b5c6595b4241db348a7ab514d4ca2160N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\ = "Application"	nphc32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\stat32\DefaultIcon	nphc32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2408	nphc32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3032	b5c6595b4241db348a7ab514d4ca2160N.exe
Token: SeIncBasePriorityPrivilege	3032	b5c6595b4241db348a7ab514d4ca2160N.exe
Token: SeIncBasePriorityPrivilege	2236	nphc32.exe
Token: SeIncBasePriorityPrivilege	2784	nphc32.exe
Token: SeIncBasePriorityPrivilege	380	nphc32.exe
Token: SeIncBasePriorityPrivilege	804	nphc32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2408	nphc32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2236	3032	b5c6595b4241db348a7ab514d4ca2160N.exe	30
PID 3032 wrote to memory of 2236	3032	b5c6595b4241db348a7ab514d4ca2160N.exe	30
PID 3032 wrote to memory of 2236	3032	b5c6595b4241db348a7ab514d4ca2160N.exe	30
PID 3032 wrote to memory of 2236	3032	b5c6595b4241db348a7ab514d4ca2160N.exe	30
PID 3032 wrote to memory of 2784	3032	b5c6595b4241db348a7ab514d4ca2160N.exe	31
PID 3032 wrote to memory of 2784	3032	b5c6595b4241db348a7ab514d4ca2160N.exe	31
PID 3032 wrote to memory of 2784	3032	b5c6595b4241db348a7ab514d4ca2160N.exe	31
PID 3032 wrote to memory of 2784	3032	b5c6595b4241db348a7ab514d4ca2160N.exe	31
PID 2784 wrote to memory of 380	2784	nphc32.exe	32
PID 2784 wrote to memory of 380	2784	nphc32.exe	32
PID 2784 wrote to memory of 380	2784	nphc32.exe	32
PID 2784 wrote to memory of 380	2784	nphc32.exe	32
PID 2236 wrote to memory of 700	2236	nphc32.exe	33
PID 2236 wrote to memory of 700	2236	nphc32.exe	33
PID 2236 wrote to memory of 700	2236	nphc32.exe	33
PID 2236 wrote to memory of 700	2236	nphc32.exe	33
PID 380 wrote to memory of 2408	380	nphc32.exe	34
PID 380 wrote to memory of 2408	380	nphc32.exe	34
PID 380 wrote to memory of 2408	380	nphc32.exe	34
PID 380 wrote to memory of 2408	380	nphc32.exe	34
PID 804 wrote to memory of 2540	804	nphc32.exe	36
PID 804 wrote to memory of 2540	804	nphc32.exe	36
PID 804 wrote to memory of 2540	804	nphc32.exe	36
PID 804 wrote to memory of 2540	804	nphc32.exe	36

C:\Users\Admin\AppData\Local\Temp\b5c6595b4241db348a7ab514d4ca2160N.exe
"C:\Users\Admin\AppData\Local\Temp\b5c6595b4241db348a7ab514d4ca2160N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\ProgramData\Ole32\nphc32.exe
  "C:\ProgramData\Ole32\nphc32.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Roaming\Ole32\nphc32.exe
    "C:\Users\Admin\AppData\Roaming\Ole32\nphc32.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    PID:700
- C:\ProgramData\Ole32\nphc32.exe
  "C:\ProgramData\Ole32\nphc32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\ProgramData\Ole32\nphc32.exe
    "C:\ProgramData\Ole32\nphc32.exe" 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Roaming\Ole32\nphc32.exe
      "C:\Users\Admin\AppData\Roaming\Ole32\nphc32.exe" 1
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2408

C:\ProgramData\Ole32\nphc32.exe
C:\ProgramData\Ole32\nphc32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\ProgramData\SysEXT0\cwrss.exe
  "C:\ProgramData\SysEXT0\cwrss.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ole32\ehm\orgusurofi\enqiha.sys

Filesize
4KB

MD5
06d8746111ce883cde2b2d55e487b9d0

SHA1
712b7b2a31e6791ae70ed2d93711a2658611f2df

SHA256
4aceb11e1777251fc1ab9dd339731113bd912d14ebdae163626b908573edfa48

SHA512
01f7c42f7429769ebc5761fde0f97065cfdefc0b3971ded7b396b937defdd277757dbcbb84a0b24b90e96dfbd401f90b1137ca9628c2fbee81842e3cb28f97b9

Download Submit
C:\ProgramData\Ole32\ehm\orgusurofi\maefmeepu.bin

Filesize
5KB

MD5
79962830f8d6a527b6141be0afd20e07

SHA1
ddffb792a23525cf6bc012d59f9963a37b1bdbca

SHA256
b3534aa234127ac1ae76d05624a09a2e6cba596d618d967dd179943bfa979d88

SHA512
8a6c52057895a25011a61e2ffa4febc5daefe1378181b0354fc914faa256c5b2102f4409df91201cd94b82b918f0d779133a10ea34eeb2738eee06dff219b1ab

Download Submit
C:\ProgramData\SysEXT0\dll32\atcenoocqu.ocx

Filesize
2KB

MD5
a2833e785a2ae2bc544f96e50d104f61

SHA1
621e1c037d0041a2ebb50adc8ed1e331962641f5

SHA256
593ae8db4e4093f20e46c02ea5347d0144c70fad3cd248380ba70ba772d4893f

SHA512
0f8fbf45f579085dfce22cc15b5d9e4fb7d60e1a14ace769a7d8ac5ea456b11f689de6994c1b702ea5dfa95b33642badd0b1bb202b02a02e30ef3b8d9a8725b2

Download Submit
C:\ProgramData\SysEXT0\dll32\cinae.ocx

Filesize
6KB

MD5
770632788b068ccb6cb91d8246148350

SHA1
1fd068f632d03fbfdd6fd2825da99bb09ba46f95

SHA256
c38ae0ac2100bcdf3d8b06a39474a96aceb8e96a3b5eba2fd91ba1679cdd759a

SHA512
66e3ceaa5403caf8b043c70770983ee78716dbcc2cc5d62c1373cc95e54e43c4439be1f1ffc3c35b9d1368e4807843c1c5afdf06981cd0415e7a5dd58a2ffe5c

Download Submit
C:\ProgramData\SysEXT0\dll32\dacaevel.sys

Filesize
7KB

MD5
6e373b624daef5fd6fe8f46c0bb3216c

SHA1
f35ee5d8e5dbc1f03b42a1d6f8b056e63163157b

SHA256
ab5b5acf3eead5c448e0748d63cf15b23fe4e001be51d5424d84d3a0fed8446a

SHA512
a8d5209d43e9751012dfcadfd92a48c3dbe9c1f7a8e9e45ce1f7c17f8af14cf0f51c4bdd1947c777b71cf184e0800e70378020b2bb44cdc42ea3b2b51bf04cfe

Download Submit
C:\ProgramData\SysEXT0\dll32\nianat.dmp

Filesize
9KB

MD5
532984304228ae1b0ce7ebe94442c68c

SHA1
80a50fbe09efd324c9f6c621d4fa33dd854e0a3d

SHA256
a78555376003225ace50a229ed471638116e0b7f35285e5e5f9acf06dfaa97a3

SHA512
10bd9062b49017eedefb6dfd5771396aa96808c586e5d652bcbde17ea020d2cf04894976aaf0eaf288fbc9d3903f4f269ff20e236f08175c554e4a06fed5c8b8

Download Submit
C:\ProgramData\SysEXT0\dll32\onvopoeqa.drv

Filesize
6KB

MD5
996f862da6268f8687f88f7fcacd5925

SHA1
188ad2ab4ae6258119d1c4a6260e41ccbe3e181a

SHA256
0e85fda3e19b927d4485a0e59a326cd1c8ac3dda09c51b28912e08e39bbe822d

SHA512
490724ab40dc23d8901960c2eecee37e264e3e29800bbf1c20ab0920fa751cc43b4b1a601014184b010461d72d6506dfeb8c635f374799d51c539023cb3b3a3c

Download Submit
C:\ProgramData\SysEXT0\dll32\oqormaopul.dat

Filesize
5KB

MD5
f6513571743b5b131b495b3648862d07

SHA1
2648e0fda837bf38d63fcffae7fc4fbc2d66564c

SHA256
652fef4007355da00c4acea032c8bcbc0970e42ec53d7784603d0b31963372c7

SHA512
6dc5c622918441ed2188b801f1b22d484c3d11ec4ea9abdc76159cc5986f46c919bb6795e9f2d74be7ca5b84bb3aeb38236bd386306fb04a130f121e19f9a43e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\AA4FLPAO.txt

Filesize
14B

MD5
feed726ebc1f03353dbb7c216a8c3d65

SHA1
e13b2684fea4068faef8cd1881c2e9f3a1c0b694

SHA256
299f6464589de6ee619d792fd3714935256a545530fd0a4f8422982b0b24b259

SHA512
7d3f57ff83cbbe4bb57a06399749798a58a15edb29b49ff343825496a1a34a898fadebf866983be287bea2be0f604d0ba7b32847b1d0e0839078c0f36ecf0c0b

Download Submit
\ProgramData\Ole32\nphc32.exe

Filesize
191KB

MD5
1e7f2b7971cd197df125dd4adede7c59

SHA1
9b2db834a4627a980ebc9ef3f1e4b93b697110fa

SHA256
7d14952d99dcfcb1eda9c0a67c4129bd4e5050a0af84848a3731193a3ae585a3

SHA512
05661d570cc25fa5945d264b3775d432f67f7ca420a5ee7719224a36bc454da204274c972e01dd02c14f94b34cf6bb6629fef3eae5110378ff7ba427f7993783

Download Submit
\ProgramData\SysEXT0\cwrss.exe

Filesize
191KB

MD5
a9321e1c20eed46a935476d08822367c

SHA1
1dfb2ae512fc836b54706ad2db82d91126f4c369

SHA256
e89e6a2796507d0dcb48e98c6b971e50b5bc9b4a7adefa5fa7d46360560003ca

SHA512
30cb171d43c302f6cf8e448f17e3904d9a2706b5e62252e65da25d35be80ce80618fff4ce4398bf9ccd8b7cf108730df6cc503e2aa4ef333bca12f17aaa7b64d

Download Submit
\Users\Admin\AppData\Roaming\Ole32\nphc32.exe

Filesize
191KB

MD5
df748c41b58dcc31c634bbfdc0141f3e

SHA1
7b7cadb19e6dc01dba0f393f64c540fe0c15f626

SHA256
048adfa3c6db72de56c5a6077f8bc12c37b07c4b0c6a9ec08e37a11aa7e60037

SHA512
f02bb9669785da31a80f45b8630758138dc2bcba1e17bf1ecb1983e0b075f470a827df6433fb071dbb85f7dbda5612ef95ccbf2909fd73cff2a775c42255510f

Download Submit