b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe
Size

24KB
MD5

3f6ac7b00ec9a46dddf3f386e9969590
SHA1

4dbbe6377cb87bf51328365166a33d4ce65b1683
SHA256

b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4
SHA512

da51b0949fbcc059d6e9f2a48cee98d1922774afb342df65e7ca9a547372d2fb9113f3e6dbcaa8ed094a61cf2dfc0dbfa40bfe873c49fece11c40ba09a6e8f0c
SSDEEP

768:g5BOFKksO1mE9B77777J77c77c77c71xeH1eMRPQE4FhdyV:g8Fs+DB77777J77c77c77c71EbRQh8V

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\373CDB2.exe\""	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\373CDB2.exe\""	373CDB2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\373CDB2.exe\""	373CDB2QSVWUX.exe

Executes dropped EXE 5 IoCs

pid	Process
3968	373CDB2.exe
2980	373CDB2QSVWUX.exe
1940	373CDB2QSVWUX.exe
2144	373CDB2.exe
4912	373CDB2.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1112-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000700000002343b-7.dat	upx
behavioral2/files/0x000700000002343a-9.dat	upx
behavioral2/memory/1940-19-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1940-24-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2144-29-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4912-35-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1112-37-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-38-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-39-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-41-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-40-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-42-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-43-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-44-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-45-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-47-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-46-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-49-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-48-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-51-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-50-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-53-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-52-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-57-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-58-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-59-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3968-60-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2980-61-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\373CDB2.exe = "C:\\Windows\\373CDB2.exe"	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\373CDB2.exe = "C:\\Windows\\373CDB2.exe"	373CDB2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\373CDB2.exe = "C:\\Windows\\373CDB2.exe"	373CDB2QSVWUX.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\373CDB2QSVWUX.exe	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe
File opened for modification	C:\Windows\373CDB2.exe	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	373CDB2QSVWUX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	373CDB2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	373CDB2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	373CDB2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	373CDB2QSVWUX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
2988	TASKKILL.exe
4328	TASKKILL.exe
372	TASKKILL.exe
3036	TASKKILL.exe
1620	TASKKILL.exe
676	TASKKILL.exe
1348	TASKKILL.exe
3812	TASKKILL.exe
2168	TASKKILL.exe
2604	TASKKILL.exe
1508	TASKKILL.exe
1136	TASKKILL.exe
2816	TASKKILL.exe
852	TASKKILL.exe
1240	TASKKILL.exe
3008	TASKKILL.exe
1460	TASKKILL.exe
4312	TASKKILL.exe
2060	TASKKILL.exe
3440	TASKKILL.exe
3128	TASKKILL.exe
4692	TASKKILL.exe
636	TASKKILL.exe
1764	TASKKILL.exe
3828	TASKKILL.exe
3160	TASKKILL.exe
1576	TASKKILL.exe
4108	TASKKILL.exe
4640	TASKKILL.exe
4160	TASKKILL.exe
3976	TASKKILL.exe
2724	TASKKILL.exe
400	TASKKILL.exe
4168	TASKKILL.exe
2128	TASKKILL.exe
2968	TASKKILL.exe
864	TASKKILL.exe
684	TASKKILL.exe
4036	TASKKILL.exe
5016	TASKKILL.exe
4564	TASKKILL.exe
3840	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	TASKKILL.exe
Token: SeDebugPrivilege	2968	TASKKILL.exe
Token: SeDebugPrivilege	4692	TASKKILL.exe
Token: SeDebugPrivilege	4160	TASKKILL.exe
Token: SeDebugPrivilege	2988	TASKKILL.exe
Token: SeDebugPrivilege	2724	TASKKILL.exe
Token: SeDebugPrivilege	2168	TASKKILL.exe
Token: SeDebugPrivilege	3976	TASKKILL.exe
Token: SeDebugPrivilege	3828	TASKKILL.exe
Token: SeDebugPrivilege	2604	TASKKILL.exe
Token: SeDebugPrivilege	2816	TASKKILL.exe
Token: SeDebugPrivilege	2060	TASKKILL.exe
Token: SeDebugPrivilege	3840	TASKKILL.exe
Token: SeDebugPrivilege	3812	TASKKILL.exe
Token: SeDebugPrivilege	4036	TASKKILL.exe
Token: SeDebugPrivilege	1240	TASKKILL.exe
Token: SeDebugPrivilege	3036	TASKKILL.exe
Token: SeDebugPrivilege	1576	TASKKILL.exe
Token: SeDebugPrivilege	4564	TASKKILL.exe
Token: SeDebugPrivilege	5016	TASKKILL.exe
Token: SeDebugPrivilege	684	TASKKILL.exe
Token: SeDebugPrivilege	4328	TASKKILL.exe
Token: SeDebugPrivilege	1460	TASKKILL.exe
Token: SeDebugPrivilege	852	TASKKILL.exe
Token: SeDebugPrivilege	636	TASKKILL.exe
Token: SeDebugPrivilege	4168	TASKKILL.exe
Token: SeDebugPrivilege	400	TASKKILL.exe
Token: SeDebugPrivilege	3008	TASKKILL.exe
Token: SeDebugPrivilege	1764	TASKKILL.exe
Token: SeDebugPrivilege	1620	TASKKILL.exe
Token: SeDebugPrivilege	864	TASKKILL.exe
Token: SeDebugPrivilege	676	TASKKILL.exe
Token: SeDebugPrivilege	372	TASKKILL.exe
Token: SeDebugPrivilege	4312	TASKKILL.exe
Token: SeDebugPrivilege	1508	TASKKILL.exe
Token: SeDebugPrivilege	3160	TASKKILL.exe
Token: SeDebugPrivilege	4108	TASKKILL.exe
Token: SeDebugPrivilege	3440	TASKKILL.exe
Token: SeDebugPrivilege	4640	TASKKILL.exe
Token: SeDebugPrivilege	3128	TASKKILL.exe
Token: SeDebugPrivilege	1136	TASKKILL.exe
Token: SeDebugPrivilege	2128	TASKKILL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe
3968	373CDB2.exe
2980	373CDB2QSVWUX.exe
1940	373CDB2QSVWUX.exe
2144	373CDB2.exe
4912	373CDB2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2968	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	82
PID 1112 wrote to memory of 2968	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	82
PID 1112 wrote to memory of 2968	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	82
PID 1112 wrote to memory of 3976	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	83
PID 1112 wrote to memory of 3976	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	83
PID 1112 wrote to memory of 3976	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	83
PID 1112 wrote to memory of 1348	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	84
PID 1112 wrote to memory of 1348	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	84
PID 1112 wrote to memory of 1348	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	84
PID 1112 wrote to memory of 2816	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	85
PID 1112 wrote to memory of 2816	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	85
PID 1112 wrote to memory of 2816	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	85
PID 1112 wrote to memory of 2060	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	86
PID 1112 wrote to memory of 2060	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	86
PID 1112 wrote to memory of 2060	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	86
PID 1112 wrote to memory of 4160	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	87
PID 1112 wrote to memory of 4160	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	87
PID 1112 wrote to memory of 4160	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	87
PID 1112 wrote to memory of 3828	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	88
PID 1112 wrote to memory of 3828	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	88
PID 1112 wrote to memory of 3828	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	88
PID 1112 wrote to memory of 2724	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	89
PID 1112 wrote to memory of 2724	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	89
PID 1112 wrote to memory of 2724	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	89
PID 1112 wrote to memory of 2604	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	90
PID 1112 wrote to memory of 2604	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	90
PID 1112 wrote to memory of 2604	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	90
PID 1112 wrote to memory of 3840	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	91
PID 1112 wrote to memory of 3840	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	91
PID 1112 wrote to memory of 3840	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	91
PID 1112 wrote to memory of 2988	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	92
PID 1112 wrote to memory of 2988	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	92
PID 1112 wrote to memory of 2988	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	92
PID 1112 wrote to memory of 2168	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	94
PID 1112 wrote to memory of 2168	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	94
PID 1112 wrote to memory of 2168	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	94
PID 1112 wrote to memory of 4692	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	95
PID 1112 wrote to memory of 4692	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	95
PID 1112 wrote to memory of 4692	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	95
PID 1112 wrote to memory of 3812	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	96
PID 1112 wrote to memory of 3812	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	96
PID 1112 wrote to memory of 3812	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	96
PID 1112 wrote to memory of 3968	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	103
PID 1112 wrote to memory of 3968	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	103
PID 1112 wrote to memory of 3968	1112	b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe	103
PID 3968 wrote to memory of 4036	3968	373CDB2.exe	111
PID 3968 wrote to memory of 4036	3968	373CDB2.exe	111
PID 3968 wrote to memory of 4036	3968	373CDB2.exe	111
PID 3968 wrote to memory of 400	3968	373CDB2.exe	112
PID 3968 wrote to memory of 400	3968	373CDB2.exe	112
PID 3968 wrote to memory of 400	3968	373CDB2.exe	112
PID 3968 wrote to memory of 852	3968	373CDB2.exe	113
PID 3968 wrote to memory of 852	3968	373CDB2.exe	113
PID 3968 wrote to memory of 852	3968	373CDB2.exe	113
PID 3968 wrote to memory of 1576	3968	373CDB2.exe	114
PID 3968 wrote to memory of 1576	3968	373CDB2.exe	114
PID 3968 wrote to memory of 1576	3968	373CDB2.exe	114
PID 3968 wrote to memory of 684	3968	373CDB2.exe	115
PID 3968 wrote to memory of 684	3968	373CDB2.exe	115
PID 3968 wrote to memory of 684	3968	373CDB2.exe	115
PID 3968 wrote to memory of 372	3968	373CDB2.exe	116
PID 3968 wrote to memory of 372	3968	373CDB2.exe	116
PID 3968 wrote to memory of 372	3968	373CDB2.exe	116
PID 3968 wrote to memory of 864	3968	373CDB2.exe	117

C:\Users\Admin\AppData\Local\Temp\b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe
"C:\Users\Admin\AppData\Local\Temp\b6d2a5659af183f2a20dd4062721654b1eb1e3368ad901f57fb3bc04290c06e4N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\373CDB2.exe
  C:\Windows\373CDB2.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\373CDB2QSVWUX.exe
    C:\Windows\373CDB2QSVWUX.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2980
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4312
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1764
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:636
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4168
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3128
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:676
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1136
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4640
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1620
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4108
  - - C:\Windows\373CDB2QSVWUX.exe
      C:\Windows\373CDB2QSVWUX.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1940
  - - C:\Windows\373CDB2.exe
      C:\Windows\373CDB2.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2144
- - C:\Windows\373CDB2.exe
    C:\Windows\373CDB2.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\373CDB2.exe

Filesize
19KB

MD5
4498dd295729661dc35feb111018f163

SHA1
25447ef682c26c37590d40e6ed5b70b9c15fa303

SHA256
dffc01dabeaf4b8e96023e597d94441c7009f8e661f2557eba6269c44a1ce103

SHA512
4196674e5fb1dbfd352ad33fa45b8e8512aca188866cd0bb6d9c24e4c5780a027991810a18507af6fa8f5ba17ca2bde4fa7f0172b8823aedb2f44f8fdea26c29

Download Submit
C:\Windows\373CDB2QSVWUX.exe

Filesize
23KB

MD5
f6d6f65e816535369ef31d98c8eea897

SHA1
47c1f47eace367c73f844b0eada5c270ea498059

SHA256
50cef54f4ad50e6e719e02c391eb42dacc8d4ca940cad3b2365019907f629d64

SHA512
2e56a9c11f81c907fd9e7c70b2159a614d23b7e7a039017837b0d5f223cdaaeb73860fa208196ff11a8956a6f38d4965d8041f2dd0a723b335137ae55eb4a88f

Download Submit
memory/1112-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1112-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1940-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1940-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2144-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-51-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-39-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-41-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-43-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2980-49-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-44-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-48-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-46-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-38-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-42-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3968-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4912-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads