Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 04:34
Static task
static1
Behavioral task
behavioral1
Sample
b762c1ea72088d0fc76ba15ba88546b0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b762c1ea72088d0fc76ba15ba88546b0N.exe
Resource
win10v2004-20240802-en
General
-
Target
b762c1ea72088d0fc76ba15ba88546b0N.exe
-
Size
347KB
-
MD5
b762c1ea72088d0fc76ba15ba88546b0
-
SHA1
e237dce878e5150c6d280fe880013770a743f757
-
SHA256
9af6ef03c826020df82ebfb87116061443ea027544fc5c352b7629e518a76ff1
-
SHA512
cda6c555a9fa9fc5b1cbd6cad5ceb7b391100a199cd6e1e8011ceb380c95c83a450bc7695176cfb4f5298710943680ef412c31af35b4f5709ffa940d2b58d2a3
-
SSDEEP
6144:CY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju49:xnWwvHpVmXpjJIUd2cUusvalx9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\\MEK2U0D.exe\"" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\\MEK2U0D.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" system.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00080000000143c3-117.dat acprotect -
Executes dropped EXE 4 IoCs
pid Process 1412 service.exe 2940 smss.exe 2924 system.exe 696 lsass.exe -
Loads dropped DLL 6 IoCs
pid Process 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe -
resource yara_rule behavioral1/files/0x00080000000143c3-117.dat upx behavioral1/memory/2924-226-0x0000000010000000-0x0000000010075000-memory.dmp upx behavioral1/memory/2924-224-0x0000000010000000-0x0000000010075000-memory.dmp upx behavioral1/memory/2924-234-0x0000000010000000-0x0000000010075000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\sIO3C5I0 = "C:\\Windows\\system32\\OJH8O4JKPY7U7S.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0U0DPY = "C:\\Windows\\FHR3C5I.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\sIO3C5I0 = "C:\\Windows\\system32\\OJH8O4JKPY7U7S.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0U0DPY = "C:\\Windows\\FHR3C5I.exe" system.exe -
Drops desktop.ini file(s) 28 IoCs
description ioc Process File created \??\UNC\MUYDDIIS\M$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\F$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\I$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\W$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\X$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\L$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\O$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\P$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\Y$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\A$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\B$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\D$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\H$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\J$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\N$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\Q$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\R$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\C$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\E$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\K$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\T$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\U$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\Z$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\ADMIN$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\G$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\S$\desktop.ini lsass.exe File created \??\UNC\MUYDDIIS\V$\desktop.ini lsass.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: service.exe File opened (read-only) \??\O: service.exe File opened (read-only) \??\Q: service.exe File opened (read-only) \??\R: service.exe File opened (read-only) \??\V: service.exe File opened (read-only) \??\X: service.exe File opened (read-only) \??\H: service.exe File opened (read-only) \??\M: service.exe File opened (read-only) \??\Z: service.exe File opened (read-only) \??\G: service.exe File opened (read-only) \??\S: service.exe File opened (read-only) \??\T: service.exe File opened (read-only) \??\U: service.exe File opened (read-only) \??\K: service.exe File opened (read-only) \??\I: service.exe File opened (read-only) \??\L: service.exe File opened (read-only) \??\N: service.exe File opened (read-only) \??\P: service.exe File opened (read-only) \??\W: service.exe File opened (read-only) \??\Y: service.exe File opened (read-only) \??\E: service.exe -
Drops file in System32 directory 35 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\systear.dll system.exe File opened for modification C:\Windows\SysWOW64\systear.dll b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\SysWOW64\regedit.exe service.exe File opened for modification C:\Windows\SysWOW64\systear.dll service.exe File opened for modification C:\Windows\SysWOW64\OJH8O4JKPY7U7S.exe smss.exe File opened for modification C:\Windows\SysWOW64\UTW3F2P.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system.exe File opened for modification C:\Windows\SysWOW64\systear.dll lsass.exe File opened for modification C:\Windows\SysWOW64\UTW3F2P.exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\UTW3F2P.exe lsass.exe File opened for modification C:\Windows\SysWOW64\UTW3F2P.exe b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M\OJH8O4J.cmd system.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M lsass.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M\OJH8O4J.cmd b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M\OJH8O4J.cmd smss.exe File opened for modification C:\Windows\SysWOW64\UTW3F2P.exe system.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M\OJH8O4J.cmd lsass.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\SysWOW64\OJH8O4JKPY7U7S.exe b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M service.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M smss.exe File opened for modification C:\Windows\SysWOW64\regedit.exe smss.exe File opened for modification C:\Windows\SysWOW64\OJH8O4JKPY7U7S.exe system.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M\OJH8O4J.cmd service.exe File opened for modification C:\Windows\SysWOW64\OJH8O4JKPY7U7S.exe service.exe File opened for modification C:\Windows\SysWOW64\regedit.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\GVW4C5M system.exe File opened for modification C:\Windows\SysWOW64\regedit.exe b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\SysWOW64\systear.dll smss.exe File opened for modification C:\Windows\SysWOW64\regedit.exe system.exe File opened for modification C:\Windows\SysWOW64\OJH8O4JKPY7U7S.exe lsass.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\onceinabluemoon.mid smss.exe File opened for modification C:\Windows\cypreg.dll smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\CFC3F1W.com smss.exe File created C:\Windows\MooNlight.R.txt smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\lsass.exe service.exe File opened for modification C:\Windows\moonlight.dll smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip system.exe File opened for modification C:\Windows\cypreg.dll system.exe File opened for modification C:\Windows\moonlight.dll lsass.exe File opened for modification C:\Windows\lsass.exe lsass.exe File opened for modification C:\Windows\KPY7U7S.exe b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\lsass.exe smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd lsass.exe File opened for modification C:\Windows\system\msvbvm60.dll system.exe File opened for modification C:\Windows\KPY7U7S.exe system.exe File created C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip system.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\FHR3C5I.exe smss.exe File opened for modification C:\Windows\KPY7U7S.exe smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\CFC3F1W.com lsass.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe service.exe File opened for modification C:\Windows\system\msvbvm60.dll lsass.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe lsass.exe File opened for modification C:\Windows\moonlight.dll b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\CFC3F1W.com b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd service.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\CFC3F1W.com system.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe service.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} system.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe system.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd system.exe File opened for modification C:\Windows\FHR3C5I.exe system.exe File opened for modification C:\Windows\cypreg.dll b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} service.exe File opened for modification C:\Windows\cypreg.dll service.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe lsass.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\CFC3F1W.com service.exe File opened for modification C:\Windows\onceinabluemoon.mid system.exe File opened for modification C:\Windows\lsass.exe system.exe File opened for modification C:\Windows\onceinabluemoon.mid lsass.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe lsass.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MEK2U0D.exe b762c1ea72088d0fc76ba15ba88546b0N.exe File opened for modification C:\Windows\moonlight.dll service.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe service.exe File created C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\zia02764 system.exe File opened for modification C:\Windows\FHR3C5I.exe lsass.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe service.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MEK2U0D.exe system.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} lsass.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File opened for modification C:\Windows\cypreg.dll lsass.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MEK2U0D.exe smss.exe File opened for modification C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MEK2U0D.exe lsass.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\64enc.en system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b762c1ea72088d0fc76ba15ba88546b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 2924 system.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 1412 service.exe 2940 smss.exe 2924 system.exe 696 lsass.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3060 wrote to memory of 1412 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 30 PID 3060 wrote to memory of 1412 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 30 PID 3060 wrote to memory of 1412 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 30 PID 3060 wrote to memory of 1412 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 30 PID 3060 wrote to memory of 2940 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 31 PID 3060 wrote to memory of 2940 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 31 PID 3060 wrote to memory of 2940 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 31 PID 3060 wrote to memory of 2940 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 31 PID 3060 wrote to memory of 2924 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 32 PID 3060 wrote to memory of 2924 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 32 PID 3060 wrote to memory of 2924 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 32 PID 3060 wrote to memory of 2924 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 32 PID 3060 wrote to memory of 696 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 33 PID 3060 wrote to memory of 696 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 33 PID 3060 wrote to memory of 696 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 33 PID 3060 wrote to memory of 696 3060 b762c1ea72088d0fc76ba15ba88546b0N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b762c1ea72088d0fc76ba15ba88546b0N.exe"C:\Users\Admin\AppData\Local\Temp\b762c1ea72088d0fc76ba15ba88546b0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1412
-
-
C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\Windows\DIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:696
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
347KB
MD53627930f5a4b22a08e5d896af3fbc4ef
SHA16497c0bc5c214b5090526547eb4d8fe2060893d6
SHA2567125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0
SHA5120a18bfdba17d86912fa85b6699f206d49cbcac9a2fc5f94676eda6d9c5ca452d5e3bf2f1ea22ea40a34c723262d1e48ea2e786ac5c0c87ef8c4ed36c403498a7
-
Filesize
347KB
MD56de024756d7f61843fb570b4875f8670
SHA1857725ccdd13114642be5246415d764936292784
SHA2569149003bab8c5c411dcf3bda1e14324fdc53e32421fa89fd644205e78a2bbf26
SHA512d91eb73e5c21238110750ad46c74577a5ab21f1544c9cbd8ea8e48c17ac8145abeda5a4fc82b3af79085c8cddbaf0880fea54babdf9e7bb0b90af206ff104258
-
Filesize
347KB
MD5c7248f6146ba2e32a8f33fb077d8608d
SHA1a756959d8b500335500a63e29d8f18df21172048
SHA256366a9c09e30c73fe4a4541950748105ccf561c946032deebe327b94fe030cbf8
SHA512106fdb5fed5fcd108df69477ee2be69d4db8f2b463cdfd1cd1a84b0cda319564de98d31665ca2443f143f022007b1428906b67f5860a0cae45d05fe33bd2059f
-
Filesize
347KB
MD5bbe46041a0dc35166ddea0da4b86aefa
SHA1af6374c3e0970d1b39ebdf014d9d9b40b2bab0eb
SHA256b94f9d898813a40f2de0106bf8842e5bcd480291aa5ae83ae014c5a5d3afa1c8
SHA5120be244e1b9fa061dc5d7f53fb36225d826760612523ad2119fffb018d517439194b36294b9ed76d6df50630c1ebbe20bd93de0a4ccf891f30a17cd25b1e1b75c
-
Filesize
347KB
MD51f32aa83293e4e7b868a3b4ef3e0f943
SHA1bdf2a0687ece85267e1c7726c7eafa69de12686d
SHA256acd28d44fea6ff68ea131d19a94a49ceb30f20ef2a6878417e57dc6866314b8d
SHA512a9b9d7dfa4b2574bcc908882a92eb628504814df15a46225b7267cb2af72128905ce4682fa1e053cbdb9d5c7f46c7120af57b35147f636e21c30f3f73137ea77
-
Filesize
347KB
MD50dd23610b962479ac9212ceff130b2e6
SHA1363fdde6e39ed0892d70b7e82f63dc1889908d88
SHA25616be73968c82c3336f4d040e944368ef9c462a29b90dd1d53a08e0a8961b6cd7
SHA5121850cf65921c51a291b1d58dd9321b9832ac75569622df1028e9096bd5e5f0ccd6f8668f23a7460d76770ef03b050caa4fd92bf19935fab92c3d2ad8f3c7c941
-
Filesize
347KB
MD5cc9356d0cf093ca83abdf6a430e37913
SHA1f28ecbcba0eb90d65ef4a4eea4ccaef8d6b2a0d9
SHA256f20cb382d39a4c8cad770aae66e76ae2c9a40034a0c1afe6cd0f44fb12051d6c
SHA51275d0993673997300cbb7c6ab25e77e4e77c396bf51eca07652763de1c32f5945a1116e4fe1aab67233ce0f6719122b1c0f1ccb4d44a503cd4c2a74e13c73a84b
-
Filesize
347KB
MD52a5f14f69acdfe6fcdb791edd71be239
SHA145566a71baa90dd8a8bb4ca87cc0e7e523187e14
SHA256e016c6fbb2da0fee7e523a9e3f9b64e38ee1ed7fb7b09215f614c7ca81e03daa
SHA5128a8d0acf1ea5d27a6003e1b15e6a4c1d9a39dfd44582b690673646bacfccca3b3073404a48d4aa8d8c07f7959718b261af545d5ad85862be377f29a2867e9ea6
-
Filesize
347KB
MD516462e112c76609eab6d850edac4f202
SHA1b8838d22ba4e19fe9aea01d72271112fa87f611b
SHA2569855b722d83aed9c10129f75d4a05440266f183189f53d22754d90cad1696a88
SHA5126e6ecc9bce8e9d89bcf8199ec759e8e224f74ed736732c65c3db72c4222e5cf2452dd781cca631b3fea2350e0498468a96f6d204e04276d4ec85e9613106b2dc
-
Filesize
347KB
MD5fe8a3a62fb8cae0657e65a72134e2539
SHA137b1b477bf1f1a949b633853c4a9f37a849a24dc
SHA2569ff9223aecc28137839fbd9dca5794d1c0f66506b2ec2866298cd928f54bdde0
SHA51261b91d712a5dedebd411749222a8cc33e26d6483ea04e9971f421c0b59583f4fa6cf54bb3a7da05732df37525893c92e6fc4ed914f9c00f7567aa56c2df6b4e5
-
Filesize
347KB
MD5325ffa34cae4c5610de26fd20e570456
SHA14e7b065fb82ab3cfb2b34833a2f6fe6261148a50
SHA2566bce8a44ebb98f342ae3d42730ec28fbbbf65c0742745333c89ada7426b8a498
SHA512d5843f71ff1f27283883cec097129cf94b551b85fa4440f36dea2fb691fc2c838758ab826f900aa27c641b576e152c6d89821cb271e7a3cfdc1f31da8cbdd44e
-
Filesize
347KB
MD5c70657f219a29a59b330866c804ee54f
SHA14f881c01536d492a67f2a4f7c3b912099f999252
SHA256b7f8e77edc96a7ca31dc7a4c3ffbb9b3e3242b1722ae083fc9d8973febba4dcf
SHA512e87c7c9c61ac9c438898c4ce2762981b1835d96ffaf2bff524c54ad066f7b46e250fed0a1066430a260c9dc0ff69b1aa75dc1346fac49c3def9da8177ff6d565
-
Filesize
347KB
MD59c1dd080a93d797645ba68fcd9cb4d3b
SHA1992ea8e4133bb17b920c071d44a730e926cfc332
SHA256777bf4b3b983d239e55957d74993aaae5cd0ac40730b599a0ae8df554c2e1472
SHA5127cf5d5bf186330de0dc7fc4116139b1e9bcac0ebdc85e77ee4b185815efeadbe102d3dadb0e33be15f0e545b9921b0cbd1cceb3f64b75e015d43c3a721fd231b
-
Filesize
347KB
MD5973e4c27eed4ffddfa4ff3933c855488
SHA174e169e42825b97ae1a2e5f4222c71ee052cfd56
SHA2560182961586ffdc0ab0d2128e616abff470df12db84c4c7f10fe4e40c564c5e1b
SHA512c2dd1eda40d73d17824fa493d57ffe02422dc38524dc1886a81bfeeea6840ca72862274850f17943f2017e7974f8e2fb0755c1e553b97797fa859f726d148dae
-
Filesize
347KB
MD5b20e4853367fedb63654c52f20658acb
SHA1c262be25d3f66eb59cad26562efd6b8c1ad1e765
SHA256832aa4a2944cfaca082d5ad1ded7b718fa5442134530a4ebcb953ce75b4db0f4
SHA512c903e54d0153de54adf4d5560cad98f96880e167fbaab70ff4859eb41c704a502659bfb79732650f499aa97575ee966d5b68bf531266fb7bf697278bfce33ade
-
Filesize
347KB
MD5825a3bd77419defcd3b2ce6ae043c3e3
SHA15c51de48d5d343155544d916a8870a14ac8152c5
SHA256e060cd41bdb365a4a52cb04b1b3e0e0992fdf4fff622a8268deb6a9a3a404187
SHA512bafbc317667c90d04e935212a82475554f254e9ae5ea9b7a7032963f1dfd4caea23505a41da559224eb73f64bf266f5e7078852166bc9badfc92d2b0af7309d4
-
Filesize
141B
MD54808e77146a2a3006dd74405ed21c315
SHA14f5c6cb7fcded3748a2511f1fbac55b215c4afab
SHA256346d4691592101df3cdd16ae51b79ffc7bf8ba3adae995fbb15a47f9db3d38e4
SHA5128c3605235a1eb89fdd889486cb6e6cd0564368b1d736888cb5df1b7c645079568437590e14954c5579e1e16d4ee88360b97158103e4f64c6a5c30855dcad2efc
-
Filesize
417KB
MD5d98c8e75e0b733b355221719abeb71e4
SHA1e83c3d1bb4a5e346e8cd2582112ad8c44e18da2a
SHA2564128459a5e29bc260f774480f81d2a1b558c7b5adb4bfb0c2bcce1d939b497f5
SHA512312bfb82a0aa07e508fdeccade049f6edf434705ea6feefc5f24512283b2141700feb60d543523bc765be0b53bd6e95a533a6bad2a467abf0437228b2edcd7fe
-
Filesize
417KB
MD5e4cd776a3893852a84281da60556b092
SHA1fe4c71fef4b796c5f96d761f84a022d5880814f1
SHA256b2a834dcb46ca10ab9fde3dde159083a44181c7a241a684e265b1c5c4fec6049
SHA512a729b58607ce5d4b1757359ac9d142fb9b5c7a640059afc8d2fc5f805151583b5578c052a220ef967ad6a13b720fb454172b779acb02b26e2383f95a0b427aad
-
Filesize
347KB
MD51d661af57fbb8a559aba7bd87287f0ea
SHA124dab55939b849b3ee2efd1ad9f1cedd1f90e9bb
SHA256b1fb42582b94c1a00c61eb4bd36ce75bb0e6b15c0793dd15633d0133d9ab27c9
SHA5120fa2470e008190d4a332e4201b13bfb0eefca906a55005c82f23c1088d41ca2055455cac2042fe580246687d56eac43ff02293ea10837e322998abd464ea203a
-
Filesize
347KB
MD592cd0d3dd7dfa3d95e1ff28a3256c010
SHA144600bd2c8faab8a251cd6c69377fdba4237cd96
SHA256657e4a28883811893c0ea98cf200492be0a4d329175ca896a6f609ad5afd0e75
SHA51227c7f132f8eb1be9c316ab6233c0e64143f954cf991ac82fef035dde51ad1382e61d3a08ba480c83c5bc22582852ba4ea529224726ec8d395a28bac8da9046f0
-
Filesize
65KB
MD5c55534452c57efa04f4109310f71ccca
SHA1b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA2564cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.3MB
MD52f593c451e4243ce08634d5ccb6e8f1d
SHA11f72faf6e085aba90482f3edbdec7eed997370b9
SHA2565c30df5afbcb16e2fcd4f4ddf4bd2573a3f79ca69c1b3cefad83552f725bc52a
SHA512b1c4a5d642bd59271e7d42dae4116af2705ba4af60d7d456da73d78a10e0a571468e0eb618712993b12ed15d4746bf0d84b1ee49c468b964e28b204d2a2c77fe
-
Filesize
347KB
MD5c669cf93a6f5151580da8d8dfed7c511
SHA10e11d02a15b94068ab5b40fa9238e49f51c6f1ad
SHA256ea022fdf72087203d8e4b88fb9658f6a9c1bea2a3683731950fb757f69dbcde7
SHA5122e98fee2ba215aa8c7f7a0d2037d1551a43e9c7ac5d9f529bbd0b2f7681c48196c96e56c67e0ef3c0d58d9b95e00ebbd5c80b37630967b9bcb7b3717e11781fc