ec6aebaf897b7513438d0a9e948faa76074e04a0c4cf9921c8c7ae6c1895d13e

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a07b7dc7fce2caf921093b5017e6b0N.exe
Size

170KB
MD5

50a07b7dc7fce2caf921093b5017e6b0
SHA1

3a8fa404134394ce3a17e1ed41d3fafe243462da
SHA256

ec6aebaf897b7513438d0a9e948faa76074e04a0c4cf9921c8c7ae6c1895d13e
SHA512

4176776c68fcf05112eccb45f19ecc330dd91e8ea2113846d3a12c00ef1e5a7dcd3f9e32bc4be2a2b83cd3278c6bb5c762d405573a418073151c780a7dade306
SSDEEP

3072:KJpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7Ux:MAm5oh63laEo+pXX1pkF8mxeq5+4m71t

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
684	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
2840	sppcomapi.exe
2440	sppcomapi.exe
1496	sppcomapi.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	sppcomapi.exe
File opened (read-only)	\??\q:	sppcomapi.exe
File opened (read-only)	\??\Q:	sppcomapi.exe
File opened (read-only)	\??\A:	sppcomapi.exe
File opened (read-only)	\??\h:	sppcomapi.exe
File opened (read-only)	\??\x:	sppcomapi.exe
File opened (read-only)	\??\A:	sppcomapi.exe
File opened (read-only)	\??\T:	sppcomapi.exe
File opened (read-only)	\??\u:	sppcomapi.exe
File opened (read-only)	\??\R:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\A:	sppcomapi.exe
File opened (read-only)	\??\e:	sppcomapi.exe
File opened (read-only)	\??\X:	sppcomapi.exe
File opened (read-only)	\??\V:	sppcomapi.exe
File opened (read-only)	\??\r:	sppcomapi.exe
File opened (read-only)	\??\E:	sppcomapi.exe
File opened (read-only)	\??\U:	sppcomapi.exe
File opened (read-only)	\??\O:	sppcomapi.exe
File opened (read-only)	\??\U:	sppcomapi.exe
File opened (read-only)	\??\k:	sppcomapi.exe
File opened (read-only)	\??\z:	sppcomapi.exe
File opened (read-only)	\??\i:	sppcomapi.exe
File opened (read-only)	\??\U:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\G:	sppcomapi.exe
File opened (read-only)	\??\Z:	sppcomapi.exe
File opened (read-only)	\??\X:	sppcomapi.exe
File opened (read-only)	\??\T:	sppcomapi.exe
File opened (read-only)	\??\U:	sppcomapi.exe
File opened (read-only)	\??\R:	sppcomapi.exe
File opened (read-only)	\??\v:	sppcomapi.exe
File opened (read-only)	\??\n:	sppcomapi.exe
File opened (read-only)	\??\o:	sppcomapi.exe
File opened (read-only)	\??\J:	sppcomapi.exe
File opened (read-only)	\??\O:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\R:	sppcomapi.exe
File opened (read-only)	\??\Z:	sppcomapi.exe
File opened (read-only)	\??\Z:	sppcomapi.exe
File opened (read-only)	\??\P:	sppcomapi.exe
File opened (read-only)	\??\N:	sppcomapi.exe
File opened (read-only)	\??\s:	sppcomapi.exe
File opened (read-only)	\??\K:	sppcomapi.exe
File opened (read-only)	\??\a:	sppcomapi.exe
File opened (read-only)	\??\E:	sppcomapi.exe
File opened (read-only)	\??\Y:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\S:	sppcomapi.exe
File opened (read-only)	\??\E:	sppcomapi.exe
File opened (read-only)	\??\I:	sppcomapi.exe
File opened (read-only)	\??\P:	sppcomapi.exe
File opened (read-only)	\??\T:	sppcomapi.exe
File opened (read-only)	\??\P:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\Y:	sppcomapi.exe
File opened (read-only)	\??\U:	sppcomapi.exe
File opened (read-only)	\??\V:	sppcomapi.exe
File opened (read-only)	\??\Q:	sppcomapi.exe
File opened (read-only)	\??\t:	sppcomapi.exe
File opened (read-only)	\??\T:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\N:	sppcomapi.exe
File opened (read-only)	\??\W:	sppcomapi.exe
File opened (read-only)	\??\B:	sppcomapi.exe
File opened (read-only)	\??\b:	sppcomapi.exe
File opened (read-only)	\??\n:	sppcomapi.exe
File opened (read-only)	\??\l:	sppcomapi.exe
File opened (read-only)	\??\X:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\J:	sppcomapi.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	sppcomapi.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	sppcomapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	sppcomapi.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\5B1U9RNP.txt	sppcomapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	sppcomapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	sppcomapi.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	sppcomapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	sppcomapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	sppcomapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sppcomapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	sppcomapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	sppcomapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	sppcomapi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\open\command\ = "\"C:\\ProgramData\\Ole32\\sppcomapi.exe\" /START \"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\DefaultIcon\ = "%1"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\runas	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\shell\open\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\DefaultIcon	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\shell	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\DefaultIcon\ = "%1"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\shell\runas\command\ = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\open\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\shell\runas\command	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\shell\open	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc\DefaultIcon	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\ = "Application"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc\shell\open\command	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\open\command	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\Content-Type = "application/x-msdownload"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\DefaultIcon	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\runas\command\ = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\DefaultIcon\ = "%1"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\shell\runas\command	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc\DefaultIcon	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\open	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "cscsvc"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\Content-Type = "application/x-msdownload"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\Content-Type = "application/x-msdownload"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ole32\\sppcomapi.exe\" /START \"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\ = "Application"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell\runas\command	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\shell\open\command	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\shell	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ole32\\sppcomapi.exe\" /START \"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\DefaultIcon\ = "%1"	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\ = "Application"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\cscsvc\shell\runas\command	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cscsvc\shell	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\Ole32\\sppcomapi.exe\" /START \"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\cscsvc\shell\runas	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\ = "cscsvc"	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.exe\shell\open\command	sppcomapi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	50a07b7dc7fce2caf921093b5017e6b0N.exe
4784	50a07b7dc7fce2caf921093b5017e6b0N.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
684	sppcomapi.exe
684	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
2840	sppcomapi.exe
2840	sppcomapi.exe
2440	sppcomapi.exe
2440	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe
2996	sppcomapi.exe
2996	sppcomapi.exe
5084	sppcomapi.exe
5084	sppcomapi.exe
1496	sppcomapi.exe
1496	sppcomapi.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4784	50a07b7dc7fce2caf921093b5017e6b0N.exe
Token: SeIncBasePriorityPrivilege	4784	50a07b7dc7fce2caf921093b5017e6b0N.exe
Token: SeIncBasePriorityPrivilege	684	sppcomapi.exe
Token: SeIncBasePriorityPrivilege	2996	sppcomapi.exe
Token: SeIncBasePriorityPrivilege	2440	sppcomapi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	sppcomapi.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 684	4784	50a07b7dc7fce2caf921093b5017e6b0N.exe	83
PID 4784 wrote to memory of 684	4784	50a07b7dc7fce2caf921093b5017e6b0N.exe	83
PID 4784 wrote to memory of 684	4784	50a07b7dc7fce2caf921093b5017e6b0N.exe	83
PID 4784 wrote to memory of 2996	4784	50a07b7dc7fce2caf921093b5017e6b0N.exe	84
PID 4784 wrote to memory of 2996	4784	50a07b7dc7fce2caf921093b5017e6b0N.exe	84
PID 4784 wrote to memory of 2996	4784	50a07b7dc7fce2caf921093b5017e6b0N.exe	84
PID 684 wrote to memory of 5084	684	sppcomapi.exe	86
PID 684 wrote to memory of 5084	684	sppcomapi.exe	86
PID 684 wrote to memory of 5084	684	sppcomapi.exe	86
PID 2996 wrote to memory of 2840	2996	sppcomapi.exe	88
PID 2996 wrote to memory of 2840	2996	sppcomapi.exe	88
PID 2996 wrote to memory of 2840	2996	sppcomapi.exe	88
PID 2440 wrote to memory of 1496	2440	sppcomapi.exe	90
PID 2440 wrote to memory of 1496	2440	sppcomapi.exe	90
PID 2440 wrote to memory of 1496	2440	sppcomapi.exe	90

C:\Users\Admin\AppData\Local\Temp\50a07b7dc7fce2caf921093b5017e6b0N.exe
"C:\Users\Admin\AppData\Local\Temp\50a07b7dc7fce2caf921093b5017e6b0N.exe"
1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\ProgramData\Ole32\sppcomapi.exe
  "C:\ProgramData\Ole32\sppcomapi.exe" 1
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Roaming\Ole32\sppcomapi.exe
    "C:\Users\Admin\AppData\Roaming\Ole32\sppcomapi.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5084
- C:\ProgramData\Ole32\sppcomapi.exe
  "C:\ProgramData\Ole32\sppcomapi.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\ProgramData\Ole32\sppcomapi.exe
    "C:\ProgramData\Ole32\sppcomapi.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2840

C:\ProgramData\Ole32\sppcomapi.exe
C:\ProgramData\Ole32\sppcomapi.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\ProgramData\Ole320\sppcomapi.exe
  "C:\ProgramData\Ole320\sppcomapi.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ole320\oprisu\acetxaku.dmp

Filesize
2KB

MD5
5d2ab29e9166c73f22ac9109f9dc17c4

SHA1
5dea89901ed2da98ecd2f5d437f9a2562d3b3296

SHA256
be0038a0c6edd62f2d1a4227a909dff8d8fc95b2c4b63c18d1e26836597efd0e

SHA512
f5445d77b6f3a3654e4a4b5dfdbc51b25bf93ebc20b9ab16ac1c4896bddbd0b04039f002b10cae508dbb663d9df3ac58ed2fb8783e4a26408be8657540924364

Download Submit
C:\ProgramData\Ole320\oprisu\pan.dmp

Filesize
9KB

MD5
e9bd461ff5e85e44d41c0d6b6171e8fb

SHA1
309f6073a9f257bacc0a4edbac8be83fb5cbd8f2

SHA256
47ec18d1443b49491e34c6385908d38b2d937202c9317176384c6b5f4d6461ff

SHA512
dea953f793ff78b19da7d08e92ca88716a917a0f913663b1155b30da22d04679c4081fff9184ca139e48c6d2028f4ae8ea489817c60780b058195a5db3ff7e4b

Download Submit
C:\ProgramData\Ole320\wuusefomve.drv

Filesize
6KB

MD5
7e12f1ea53d46793c21e41f9b9ba7782

SHA1
b3232b188b9d1989d97260989a8c175a14d7d282

SHA256
a843396dd883c4b7faa3e9df53a64573772a2606df17e8406dc5526298699b24

SHA512
f90b9058e89d8aeb7603dee9f1f6879f7dac4cf8da90c866fced0f240154d6f91f28a1e3348274b390043c95b16763d1543db6ef820ce209bb1b707557167d5e

Download Submit
C:\ProgramData\Ole320\xeepame\iwendupee.cat

Filesize
3KB

MD5
27113939fdda7325a18d8079c7e251b7

SHA1
644e9d51c4c552f21e30f5f32e1483624deb25f9

SHA256
9569ea7d1576f3a3f4e881602a2d79db94cf983a75b77e87c61188613766e4f8

SHA512
08541e51d9f65ee5bc06c21786a46cf2fee5ff7b55db26f480325471bde7635e24555d171e0ceb399e466081adf85844a164389f66afb63eaed1b984d5df9657

Download Submit
C:\ProgramData\Ole320\xeepame\oqrusi.cat

Filesize
5KB

MD5
399eab834d5303dcc5aa3c579aa43182

SHA1
5ce6ba5832608ea3fa35598d1576d3d7f127d9f1

SHA256
12871ab5b8b874dd3a04a244a79ab6dd12f1898b9dc8c6860c7bfeea592a46cd

SHA512
9e7593ea65f13d9c768c0a2541ed9735e094a9a9af3edd61731036b16cfdd9d0faca8895d64c27854bf54089272b8eb78daf2c5c47e7411c24429eef7571a024

Download Submit
C:\ProgramData\Ole32\sppcomapi.exe

Filesize
170KB

MD5
e948f9365289e88b814f9dcad215c509

SHA1
0c1c206ac64488eff064f52f6b4d5f3567b02f48

SHA256
929e2026d30f241ac5cb25506d6f2687447be29d782e5dd3dd2dd2b0a8dd1eaa

SHA512
fc750a67fdc03e1d9a6efdca34d52e97061bcce22851c8c95df1f04e5024f247db5050c631958d85ead22d5fa43e29102411ae29dd0194fcf5b8d1b82230f0fc

Download Submit
C:\Users\Admin\AppData\Roaming\Ole32\sppcomapi.exe

Filesize
170KB

MD5
e7646eb88a7050401d7ea1b9417ebdf4

SHA1
358be13cc99f1408e12773ee957f79fbd1b6bfde

SHA256
e249a554f9268e24b98e63faf9111c5cc192779b5a82d2fdf65c5d9532587fd3

SHA512
65829e130165ff60eb963a1d8a353ec578e0b937673089ef0ca0f408728504cb1727ca88638fb0f4a59e5c08215d6400b915ef9c3f2e62a102e390998dba4563

Download Submit
memory/5084-41-0x0000000073BD0000-0x0000000073C09000-memory.dmp

Filesize
228KB

Download
memory/5084-64-0x0000000073BD0000-0x0000000073C09000-memory.dmp

Filesize
228KB

Download