Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 19:40
Static task
static1
General
-
Target
3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe
-
Size
816KB
-
MD5
aeacd6bfb480546d0ee3e14f0bb46f8c
-
SHA1
05574783017260e4d3dc0ca831161b5cabf51c30
-
SHA256
3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325
-
SHA512
6aa7e58beb9923690918de0c3634bc6ec170dff647fe5a381604b3e28c6f74ff5e12424175acecee21bf419f66060fd562d48a47ba72703c39e2b4aa0906e6f9
-
SSDEEP
24576:BJW2KjJ4Td3kJnbsPhnzqpKZdhRcloe4Mmz5:BInJ4Td3mbsPhnepYhRclkd
Malware Config
Signatures
-
Expiro payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/3120-0-0x00000000004CF000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-1-0x0000000000400000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-2-0x0000000000400000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-4-0x0000000000400000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-25-0x00000000004CF000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-26-0x0000000000400000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-27-0x0000000000400000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-28-0x0000000000400000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-30-0x0000000000400000-0x0000000000562000-memory.dmp family_expiro1 behavioral1/memory/3120-31-0x0000000000400000-0x0000000000562000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 7 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemsdtc.exemsiexec.exepid process 1032 alg.exe 1260 DiagnosticsHub.StandardCollector.Service.exe 1812 fxssvc.exe 2380 elevation_service.exe 1820 elevation_service.exe 884 msdtc.exe 2152 msiexec.exe -
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-355097885-2402257403-2971294179-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-355097885-2402257403-2971294179-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exe3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exedescription ioc process File opened (read-only) \??\W: alg.exe File opened (read-only) \??\Y: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\Z: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\K: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\T: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\V: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\O: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\G: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\I: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\J: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\L: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\M: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\W: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\H: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\P: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\U: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\X: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\N: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\R: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\E: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\Q: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\S: 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\P: alg.exe -
Drops file in System32 directory 64 IoCs
Processes:
3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exealg.exedescription ioc process File opened for modification \??\c:\windows\system32\Appvclient.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\vds.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File created \??\c:\windows\system32\ogpimqhi.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\kpmjnjmp.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\fnpqhmok.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\ffeaagdi.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\diagsvcs\hdknallj.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\fxssvc.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\lcbfqcif.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\spectrum.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\ebhdmfcg.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\jdnahoqa.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File created \??\c:\windows\system32\perceptionsimulation\eiplfhao.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\SysWOW64\fadijdhf.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\ijpanmfb.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\dllhost.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\windows\system32\fkaeaclj.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File created \??\c:\windows\system32\gfbplcla.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File created \??\c:\windows\system32\kgobpbpo.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File created \??\c:\windows\system32\openssh\ncfgkjoi.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\lsass.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\searchindexer.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\system32\alg.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exealg.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Internet Explorer\hfoijjjp.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\program files\common files\microsoft shared\source engine\gabeccla.tmp alg.exe File created C:\Program Files\7-Zip\lncjookl.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\dotnet\ddnfppgh.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\jbailmli.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\7-Zip\jgpijieg.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\program files\google\chrome\Application\123.0.6312.123\gcmidlbm.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File created \??\c:\program files\windows media player\pmkafglf.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\7-Zip\7z.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File created \??\c:\program files (x86)\mozilla maintenance service\jfapaeog.tmp alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exealg.exemsdtc.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
fxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exealg.exepid process 3120 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe 3120 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe 1032 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exefxssvc.exealg.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3120 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe Token: SeTakeOwnershipPrivilege 3120 3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe Token: SeAuditPrivilege 1812 fxssvc.exe Token: SeTakeOwnershipPrivilege 1032 alg.exe Token: SeSecurityPrivilege 2152 msiexec.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe"C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1032
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1692
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2380
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1820
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:884
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5e906beb5456ec406b130c6699c5d5e63
SHA1042b55fb2f2f1125ecbd988691ed886feba1747b
SHA256650534cf6b40b39bde1a8429a9af7349ceaff5f0c54d5b2232882068c1b552f2
SHA51224d44ac2b37e2c2fbf680dd2522e6caa39394ca346eb32b2c42a568965940da492efbdb292df991caefe5cf8da03d7bdf09477bcf325d71393b998768e4259a1
-
Filesize
621KB
MD5789cc1513b7f6a2b57d5d4ba94bd590c
SHA1ab5ef5ace329b553f23b6f96dff7516802d60fbd
SHA2562138ee2aa423b4e1e84340232538bf3f782c452d8f7047dc76a9c381139c7d8f
SHA512e63e666abc37243474e2f906b4696cbe8d56fc2e37c166eb76f98e4f8996dbd4a540fb4f9386255b674261ab1161c4c99089eb781c5d107044472c0962fef135
-
Filesize
940KB
MD53fbaf757b462f6e60fe8126d139385f4
SHA16cb81cae948838bf5a1bdf922c7c79c5c7792d28
SHA2566ba9d2521978722af9d4ec824eca4806d01ed383bb38a4fcd95532524227daa8
SHA5124be174a9801c4e0c2f69f9c93026d44095988e1fabfba6bc629c31bf4a7aa05bdb15ddf6d490b092321e339acbf4ffa6aa72c6ccaca136c21e8020eacfcc9982
-
Filesize
1.3MB
MD5ad8bd45b86f6817deb0ddcc4b3791185
SHA1870e54dea305d566e8865641dca531b1e563a266
SHA25682eb5d98babc682db8be79331055e5d930ca04e1f1563e5a8cb91ba0ff4774bf
SHA51262a066ada95fc3656fb2e10b0eebc2a90e263489ca958e66d6c63f378415f7777a2564301610c1a6f94c1628c87fb93fc2902ea9fbb7805c60884c2c2a4ba98f
-
Filesize
1.1MB
MD52376f2de2b1b70324cfbfc94b51781d0
SHA19066aafd306aa95920529639fcc1bc16ee7f98db
SHA256284c7d2f2623c9d5f578f971a47e6a111ae545a75650c2ad66e89ffe0d649f8b
SHA512501f8e2a2ebdd3534e360146302e89f1581d3c1058dd185d92faa6052f637695c8c2a33189a3851608e343bd3527a9e1fa05d2c6b88dabc0e0914ab06bbfc796
-
Filesize
410KB
MD53d70580d4d9d99e27ac3b9bb5b7c42b6
SHA128361530988a7fa8d7c0f03ecffe3ab1bb4d10c4
SHA25638912be802ec8218c9c04fe12b7b0c6eb1ce34c07dcdef94994a7201ed3fbc32
SHA5127e6c58716d63933a70c3337b6f71ec35cd7ed0368c9f96f9cef175bba616e8f8b7cd52927d4fc0b35e1e680834a411351b1b4cb004d63be3f23de5e7347f9a20
-
Filesize
672KB
MD57fd72275b4b7d896ccb7c1e442b1ef3f
SHA1dcdf05514301a151053cdaa565979325b56d194d
SHA25624c12c323792571b44dc06d49751f6b4b3f5969cea300c1617087e2673593251
SHA512942cae18a22419890d51f4b940163d034e4360e11f1462e84ceaadf1d306859d855b6c9b15dd5fde622089bfe8f0378968c2357e1316925ca222a1252f3444c6
-
Filesize
4.5MB
MD5dd96d5815b973e85f39844939c276111
SHA1f302d7ebedcb14ee94ffdd37efd61cfb93c41804
SHA2566ae5a5a613c27e9db624ba97c44b9ffc5ec310af1c6237057bbdeb4dd704239c
SHA51292ecae0fb2bfb565fe372776c03931e1a1acd7cf52ed4c7faa5ab4f1c9f6008c30abf1039fcac2e3491b3282632f877f72bb7caa6e546af59833887049860e7c
-
Filesize
738KB
MD53f8e2b7f5a4877ada549b478f7cb2a68
SHA1e737caaa33d156ffbe03c14b3eaea06a5fb1fbd6
SHA256dddc7d6ed82a8d0cb02ce01d66a619fb1c55dada25d87172937368816fb2bc60
SHA512686577335d620628f47c3470f2f22be22d604bb972151be0a2c453706bcc10facc4d45754fc55be50a02507a8e2483b6ccd1a8127a07368dc0ae0e73d07e7071
-
Filesize
23.8MB
MD5a204cae6f07d98a62acf4448e0653a98
SHA17cc6dd1ddaac04bdf782cb87c8a3e66fc2893815
SHA2568bde9f66d43c82266d346039d3aca415205a23b5be415073a786d570cdacf0da
SHA512691e08b57f6dd54c19af07922d8f59fcc568d2e51b0f87984b356198ddb7e470d9acd26489970813a240a4835be3670d786fa3e2e2463815daa79132fb0871c0
-
Filesize
2.5MB
MD58694be26700cca2d83e3989b0ca03ae1
SHA18c5a60c21750400ffe1d6f256908de6c1be0aa80
SHA256dbddd6e696b0cabd915346e1aa480ff479b69ba7c357637b2f239814f006f9fc
SHA512c66b43ab5c45e8787adcb226d4e5eab4b9f664c4b9edba181c6cdfc26c66a36f2a5ce593c554c6ad7a8770c7660f7746faf48a153efad4cfecd8cdc3fe06db03
-
Filesize
2.0MB
MD53d843ed236617f0cd29c7ac4c4275b28
SHA15800f2c985808c2ed66849c68e00851405cc35f5
SHA256c6c3e9cbf78bbb22bf7d0b4b5077cedd3f75ba843adc376ad9fc426966e9600b
SHA5124e68c914ecde00c5462042c798039870da518187df7e21ac18796add4334d143ab4b9e0a9284da8c98bd8a5f8c89576ba02fcafca98e7bcdd0f453069063548e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
625KB
MD5d9c78ddeec29842d7676b22e2d6e650d
SHA1a1d70968d7a2e08d3644ae203e099d1685bcaa26
SHA256bee620f6f8047e46a4e653f0053350d5dcd68d1aecf0d7700d8017b9f71a9a64
SHA51271b7f7dd4c02cf51f83542df74564c4bae81bef883266665cda294197707f4e9753a0a3a00d82508ca971d6da05b0603b390770639bbcf10db8210ad091bc2c2
-
Filesize
818KB
MD5043836adca7e2a07dcbc402e677795f0
SHA1a48d36b506ae08e195deb20590205deedff75ef2
SHA2564c5c5ffaa3557ce2cdd4dca3a7e1b09807c69257ffa99dc27c29e96eb56f3b4c
SHA512a6d0376bd4506b2af8e3ae116fb05537fa6247c8234d82bc426a801f8475ab42ce6175dcb37a11925aa69b56d7a2397fc41056e9008d658fe8b11111327c6789
-
Filesize
487KB
MD52b28d81fe09db32dda8d8049db5c614f
SHA1ab7279857d7b966333de2cd414c502e98c00da00
SHA2569b337e59214fa3823eac729aef1d03a8de71aa046a9fda00a3107418495f4e9e
SHA512d276f8421befb3b2ac39d1c4bc89331088f4a2e4041ca4b2777cc1736d0de977c683dde84bddf8415f67f17bccc99eaa56590d657d91ebccef8da64ad15eec03
-
Filesize
1.0MB
MD56012c6eae885ba507939a4966e2ee74e
SHA102e6118c7646c6e1a461ca161c514901f6d355cb
SHA256a52dacb83db7f54d3d31633ba38e8918c7b669667b2840e7c5b7a3270d80abfa
SHA51226515afab8454fbf017eed949dc083b95599920902fdfe668117cd884e71b019760ca43062fc77f691ce5939f15c103b3f0d3dd0edd6a3f1018464d346c4282e
-
Filesize
489KB
MD5b3e6116f4a6d17f72b5e6d7d41ac70f1
SHA10db192f9adc6ccc4001fd71c20e908d360eb99b6
SHA25639dd5575ed5e2732a827f141d6863f16ec883157d2b1e16d55eab83ca49ad07a
SHA51261f5210ac6c61e29433dca2b714ac0a0bc333b6d0733a077a1baf322df044f0278c74785f1bc569c1368180b467f596136bfa76c0cca027e5c98b201f4a86aa4
-
Filesize
540KB
MD5904db4660edbe4243dce97d9e81d3f5f
SHA1d3574d4cbee71cd2fb6a0936cbef4a355362f379
SHA256550203e4043cb5748ebaa5db506e07cd237c032321344de9155b25ac0a053707
SHA51242bc4bee25ebdc7c8e8686cf99b537b5d28aba05b2a8f8bc9c9858396854273df26a6763988a2a33ccf205d5f207398a29d5498e8e4e466bf9d1f402d59b6831
-
Filesize
463KB
MD55f76624bcc21a72e93ce22170ff093ff
SHA15acbc8daa95eb8ab598afa40882bd8012a296d7c
SHA25635a8747943ca670c14b2b86fad269f1b51bff57822f4e4d654dc868d6957a0c6
SHA512977ce3cf41ce493520f1b9f5e2d99f379e358aad9fa61d67fcf4263b58c3f73c5c0993fafb4192f28867e3eda297be47e1e0725ce3554156a2833541f933d30e
-
Filesize
637KB
MD5d3c884029e2c59df60fea782637ddd3d
SHA1b5b69df34afd482f54832b7186867c9fdcf6853d
SHA2563aaee9f0e94587691e89d86eea1f6b593d6b87d3710dbb6b903fd3b1b6376dfa
SHA5128b77059ded491cd1113218c660151fdb277f071f058455be333c10fbaee2a73f627e2993f099cf3754c828f891a7575aa2d4e865cb0dc0b4fab42952bc792676
-
Filesize
1.1MB
MD50e0d6a3e97df9ae2756fd59f964de0ae
SHA12e82222753890fa5dde561e64e92c894a033c27c
SHA256d236e5e83ec4e4a89f34255a27acef6f9220ca256c716355684c425de70337c6
SHA51248c8e039bc177a61e99a85ff75b60ad4475eac671f0b2b0051d75ea4f95a863cb13619e22cbc00214891eb1de2cf17cebb31abff6d6e85ea5fce8efff6cc2d43