Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 18:59
Static task
static1
General
-
Target
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe
-
Size
625KB
-
MD5
90180f284c1a5dc94ac94cae1dbdbfcc
-
SHA1
dbeb50c4cf66722a01bc391c225bb930354a3fc4
-
SHA256
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf
-
SHA512
4109c76b5d8c5cbe1a096e6ecdba4ff4813991d8471c85c0ff75f70be7aa20afe35f83bbc4d2019a9ea100dd5d2654d773b637f84c1ba66d0144223f9fd50a04
-
SSDEEP
12288:KVt+w8wyv/f66WoJMDMz+jEcRm0gVVbXI4cvsnFiOk3CwgQ51:It+w5yvDJB+jXm0a5TnFiOk3BV5
Malware Config
Signatures
-
Expiro payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/972-0-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/972-1-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/972-3-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/972-47-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/972-49-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 8 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exemsiexec.exepid process 4888 alg.exe 316 DiagnosticsHub.StandardCollector.Service.exe 1900 fxssvc.exe 3804 elevation_service.exe 3048 elevation_service.exe 2520 maintenanceservice.exe 840 msdtc.exe 3564 msiexec.exe -
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-786284298-625481688-3210388970-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-786284298-625481688-3210388970-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exe39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exedescription ioc process File opened (read-only) \??\I: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\J: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\V: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\I: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\K: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\O: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\R: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\T: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Z: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\E: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\L: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\M: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\N: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Q: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\Y: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\H: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\S: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\G: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\X: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\U: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\P: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened (read-only) \??\W: 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Drops file in System32 directory 64 IoCs
Processes:
alg.exe39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\svchost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\vssvc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\fxssvc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\SysWOW64\geboejqg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File created \??\c:\windows\system32\aldbhnoo.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\SysWOW64\nblonioo.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File created \??\c:\windows\system32\pjlfoicp.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\vds.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\pikiolfg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\WindowsPowerShell\v1.0\cjfhplam.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\fpjialol.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe File created \??\c:\windows\system32\okhllhfb.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\searchindexer.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\alg.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\dkkiohca.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\fkjkngfd.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\phpjldnl.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\cpdanejb.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File created \??\c:\windows\SysWOW64\dlfadijb.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\plndacgq.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\perceptionsimulation\ofcdqinf.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\windows\system32\fpodmacf.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Drops file in Program Files directory 64 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exealg.exedescription ioc process File created \??\c:\program files\google\chrome\Application\123.0.6312.123\baelbdmk.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\dotnet\ddnfppgh.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\program files\common files\microsoft shared\source engine\leoneddm.tmp alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\7-Zip\7z.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\ffolloje.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\7-Zip\gkooamha.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Internet Explorer\dendjgfp.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created \??\c:\program files (x86)\mozilla maintenance service\ehkapkba.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Internet Explorer\kjkookie.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
fxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
alg.exepid process 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe 4888 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exefxssvc.exealg.exemsiexec.exedescription pid process Token: SeTakeOwnershipPrivilege 972 39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe Token: SeAuditPrivilege 1900 fxssvc.exe Token: SeTakeOwnershipPrivilege 4888 alg.exe Token: SeSecurityPrivilege 3564 msiexec.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:972
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4888
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:316
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4040
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3804
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3048
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2520
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:840
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5c7484b53c2f612117135d65a68440996
SHA1737f2b726f6380a7597076fa05adf60329195286
SHA256002f846ae2de90463eb2da648e113957ed0a2f0b53fec4b8d49bc1103966d59c
SHA5121c5e7eb200b350d2777786abb4cf367fcf1ba844489be020d0c5f489bed61d27c53611c5c2ee26457947e8b3b1d50a594d696ede8e5fc1c1a5ef0da8744b829a
-
Filesize
621KB
MD5468e5777165bb15a98fd4365632da5e9
SHA10133691bf824d987acaeeb5e3ff2100bea5342e7
SHA256a3261fc9684c43585139c479114a114f9f167d736a2687a818e35cdcd4c92a37
SHA5123f3275d97a25f7ec3e61f11003b10fc418662413310ac4686322a7b32229ebfb4e0670ca3c69524f693e350d5d0f2e7e2914b272bcb32cf727290dba300c3939
-
Filesize
940KB
MD5d37b4746a153abe6008218dec220f462
SHA1a473b1701862c1c79207d7bb39291f3e37ce0db6
SHA256592b2864c29fab1a80d6789ce9e647c59b23809a4323499a43e63682dc3c25e7
SHA5125d64373cb70fe1acace04ffd8ab279ac74e28f0c415ba0355534082abbd9cb7609f537fab249a2af4e11ead0968e461c6fcfd2082a0220cebeba1f4ab873b714
-
Filesize
1.3MB
MD5ae644316de57b0c8bf380100fdf6201b
SHA18e0ed2070e0a948993a6a80a58d5ad2913430d06
SHA256e8d59b85e7a5efaafc9a5dfeb62f0e876567650acc11d8925635379268b6d651
SHA512d254be661526154c2c2e028371e53759d8ab674945124015408b6878e207c35293f222a8edc50384b7baf8ee1c026810d6fb42cb6aae761175138fcf5a8bb182
-
Filesize
1.1MB
MD5cf4b2a7fec07e59a61682fda102494a9
SHA18888ac4294f0e4299df1453aa02928261dd597dd
SHA2563b25dbb38185eb6501a47022e579e9a63befbbf9217aa7a27b78e068bf50d868
SHA51269f14a52e396cec44cd499041a80f14cf305a5a2405242d09846881e179dd1e86c9a8201eccd45d177a408641162c9599fdcfc102998247f832cb9b4ca36ec8e
-
Filesize
410KB
MD54e3d1b52c0977001b717300355b600cf
SHA1e3615160362af023a082b00f68ae9981437cea10
SHA256f7cd9fe1474a7e96cdf8029043d1641d76478b6caecb27253546e01d1e8e396f
SHA512855c4cc6eb21293b02e1f44a8e46855497054e5d4af3b8279d9eaec89f3d2c9e8ee93267634d97ff7ea85f6be00a04019906f4b58a104c630338997ae5ceadf4
-
Filesize
672KB
MD5ebaf6ab801a8bec40079f34477886c85
SHA136eea4c2c5bbb26327f4ec0f4c0c05831f167134
SHA25659742c6b75db910ede74740bbd1f4acdb92e6a1b9e85197c21ec96609fd44011
SHA512eceb94773f02f466141e9563fb00bd6d5c4bc3261e7097b3f20386700d5b279bd438ad74fc807d3ed75040acdd2ff6292207e16a50badbf4a59bcabac41bab5f
-
Filesize
4.5MB
MD529d58cfec058511f5c97e5342d8aac13
SHA1e8bfce0354a518e444c2397abe4700855515b676
SHA256a477d3fedbb1cf10a251e05e7c2a9538fceffa463b430cc8faff19ee4bb9d691
SHA512ad6f3edf5cbbd92a711c0fcc465056b6a7e66389a68df81e33f71958d8cd470ac69e81e582aa350ae676cb07e428babbf2f8e9763fc186d8dec79561081eff10
-
Filesize
738KB
MD5b95a3115be79e0a681e206df9d2a70f0
SHA1646946a39585c2f6b2234edd60dcc8e2fcf512d8
SHA2569661f8b126bb3e8f7450f6a41da24f5958cc48a44bc6c5ffeb40742a929c701a
SHA5125081618735bf94cbc9eb5f47e49101aa9d534c8958fd1d4a6a7a363df46c0ce10b89ec73c47e60d1ffe5e6aeaaff1883f942f716cbd00790f0dfcf95f2663602
-
Filesize
23.8MB
MD5a14df0b641a9d2b9941d492749fa4744
SHA1a126c239d21f0478ff61a601039faa868e1d4a04
SHA256c147e846f372f5b696ced2bea6d03beb1210b04b890a54781f25b387cbafabcd
SHA512b995a37bc8dc313bda8af0f174cc2d6f97340661d1b35a4169420dc1a3bf4ef61553a8734ef8da419865d65e1a84394082fba43843b4da9372c2c7cfaf9f7d54
-
Filesize
2.5MB
MD5cd98bf3cf0569b3979037e8460f89245
SHA19ef80255655214f32685c42aefa33c39737237cd
SHA256ae8d09070e85210d7d0382d6ed2b3c375d1c0eb80c0b75c4752db5aafea94ab9
SHA5120760868de032a8c64497988e47b59061895e74e9dbb21ad57fba6f33d3602f344f3b1602df0937a6fda9572b7e86fcf68e3e5d95f3e2656bb51392d7f8ec49ff
-
Filesize
637KB
MD5dc21b692eb3f8a6f74b3f68c31acb949
SHA1722a6515c9a8669196346bb42a40bed6565bbafe
SHA25669137bc01b05e045b4d0bc10fc7d579ed502a41b8aac1bc560581425599838e4
SHA512045f7d9ef94e2ae643669db37b789cd521af0e6e8618f0719ec0eb176694a04bec0ce6ea3145bbd64922225d6eeffb43ccdf01249ff640b7c0ca5307d18bcb4e
-
Filesize
2.0MB
MD5fbafcf56e1c3ab25053ff26136c81758
SHA1439974bcdf9041d55fe73207cb3dc8436509bcdd
SHA256255dc54ebd6ad4cc6379d73e916eecf6e9eead33b97fc9f43b5cebd47a8895c9
SHA512b5846bf7c321d4d847734c47697a517df2a98e05de3f8a309dcd6ec92f2fa017d58fa631b0fa9ae2ed736ec7848cfe6ba96abd06306e0e85ccc8a4363f6ac9a5
-
Filesize
625KB
MD5172d8147daaa10e1e3e482fea73b4fba
SHA19827b8f1c20556ddbb116e0fae70fa56007c0f49
SHA2561f594ec3013d8299fcb8142ad5b2c687b4e2be3746f1718b515f5385886fe604
SHA51255a2b18deb980236fe085d1ea01a17800cbe551942a99a83cc2e2a005f30895a3a3534eda3c18863b53fbe1a06ccfaa6466e4c53e1b25d10f6a18ea6fab9ae52
-
Filesize
818KB
MD5f7bdfb38a548d55eb6f15b1e6ef2869e
SHA1a20f606eaeb62d70863064a544493b8253cdbf02
SHA256ae750850fc981e0cc332792849294cd08c481de4dfab0974a3388770a1f4550b
SHA512c15990d7b8ad9993679f35d0621bd927398ca1260e1cb3614a02c292c1f645d8c4339fb96c2f29914b4cab6cb699584b732d72d2218db70289f0fac0dd08e564
-
Filesize
487KB
MD50a4caf2ee8c2e8f943bae206cab5536d
SHA174e0624d222b1776d8ea41f209b5182935e105ad
SHA2568f3af88fe5a3841eb1e6c60ed5487d9ddf4fe32819f960abd6a903343f40ec55
SHA5129d90232895c49764a1f93a626dc03ebf2b1891a619ff9f556fd05e2b778a7ca81c7490e8fb2a7c6b21e7d7c64c1e818a99e3fd098213219b253b9c8e7921d9b5
-
Filesize
1.0MB
MD59bfdcc5bf25c8969b99faddf253f53ef
SHA1aa2a77769f580a6b003d1a8dad3be78803a28f5e
SHA256f69e1758ab7ef2c8ba606fb8f7f38f15f83b67fbfd77f516a32796ffb5eb3849
SHA51289aac02bcf15a3de309ebc50a6df73dff0ae2deca1c688323e2d8889d847c2730bc3b8e23d5876b8cb3d669c820d3334c24b4a07ae23481e730b924f2ae788be
-
Filesize
489KB
MD552683298861598d7bcca7729f7c7564b
SHA16e1bb44178b78b4d880e4a4bbfe6c489e54dbabf
SHA256886a608d539d6ec674be52b08192c2cc2591bb28e4781ca9bb7de81c81c14a1d
SHA51239f9f88f8b6379b82f64d169d61ff949fe52de291551bc88b756b380bed2ba8e8b29574da18b2a602d16d526d310f968d1e8e0b537f00334214fb39baca15e21
-
Filesize
540KB
MD5fde7f88e7b378845b7e48b8c4096c3dd
SHA11256a13c28e02a7cf29a879e98df4d05f3437cf7
SHA256ef0e192a5500e4a4e44a9e74e5e56dd6835c2b7271e173e5e16496b74757d39b
SHA5125b242812c0fd6e4f7fe4259a871cdebf5f3700c5934fe61d4c7db9f19a793378363935171c6ea7f7b829ac8aa290c92d6a4a8f54116ba013d19a9b131ac14d1f
-
Filesize
463KB
MD593e7080798f92e30187898c0dc1d093e
SHA1844e46ba6c2fccba550c63b63f9bf33f5460fbde
SHA2568b3eff4829665387cfaf1ea5b9feaaeb7029d487a8f229e22b4f2751823d77b7
SHA5129a297fd797d3ae7e75af8e4433e6e75c02890b36be56f2bf2d1fd71cb73a9fb78d4cf76b1bc683acd1cd8b78acb42283455246efbe002a3a975a5c2b094c29ed
-
Filesize
1.1MB
MD53bba852b4ee81c2ce1bcd27d5b225a63
SHA120e647e515afaed3be756fab294b18566b9c01cd
SHA256bbdd09f76cc7cbd434de322a27935372d824740996ae671e9db81f04401f9e76
SHA5128e3b8edaadcc4092050ef925370bbb9016affa3c655029a99548e85a1d98049bc64c38f15da70ae963fd8f76c24c8003f4d52d88a1a7f01d0c9d1e7008485cca