bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fd

Analysis

max time kernel
8s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 13:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
Size

1.1MB
MD5

ef7a8b804550b897bbc498bad7aeaf40
SHA1

987c2f090d09edc22eadfadff58241d97883a863
SHA256

bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fd
SHA512

e42c742762f8bc32ea7fa1e6fd22454ebeb0bb0e3b31cbbb8f2abe6f75fc13fac1facdcd76ecac6462fe1af287ce77cb5374b5a18d443b46f054b774c6dbe35f
SSDEEP

12288:BwG9izpJ5n46SncBH7MTX0svLv/HbHt4SpcHGAB/Kc27P5HV0HiG+uLP6njiY25+:nMxIl

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
532	svchost.exe
2932	svchost.exe
848	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\MSSN\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 set thread context of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 532 set thread context of 1780	532	svchost.exe	36
PID 532 set thread context of 2932	532	svchost.exe	37
PID 532 set thread context of 848	532	svchost.exe	38

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1984-0-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/1984-97-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/1984-80-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/1984-136-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/2456-140-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1984-117-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/2456-135-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2456-134-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2456-133-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2456-130-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2456-128-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2456-165-0x0000000003790000-0x00000000038B1000-memory.dmp	upx
behavioral1/files/0x0015000000018682-163.dat	upx
behavioral1/memory/532-307-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/2456-310-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/848-306-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2932-305-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2456-304-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1984-302-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/848-312-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2932-311-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1716	reg.exe
2188	reg.exe
2340	reg.exe
2280	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe
2876	svchost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	848	svchost.exe
Token: SeCreateTokenPrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeLockMemoryPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeMachineAccountPrivilege	848	svchost.exe
Token: SeTcbPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemProfilePrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeProfSingleProcessPrivilege	848	svchost.exe
Token: SeIncBasePriorityPrivilege	848	svchost.exe
Token: SeCreatePagefilePrivilege	848	svchost.exe
Token: SeCreatePermanentPrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeDebugPrivilege	848	svchost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeChangeNotifyPrivilege	848	svchost.exe
Token: SeRemoteShutdownPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeSyncAgentPrivilege	848	svchost.exe
Token: SeEnableDelegationPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeImpersonatePrivilege	848	svchost.exe
Token: SeCreateGlobalPrivilege	848	svchost.exe
Token: 31	848	svchost.exe
Token: 32	848	svchost.exe
Token: 33	848	svchost.exe
Token: 34	848	svchost.exe
Token: 35	848	svchost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
2876	svchost.exe
2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
532	svchost.exe
1780	svchost.exe
2932	svchost.exe
848	svchost.exe
848	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2876	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	30
PID 1984 wrote to memory of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 1984 wrote to memory of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 1984 wrote to memory of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 1984 wrote to memory of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 1984 wrote to memory of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 1984 wrote to memory of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 1984 wrote to memory of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 1984 wrote to memory of 2456	1984	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	31
PID 2456 wrote to memory of 2024	2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	32
PID 2456 wrote to memory of 2024	2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	32
PID 2456 wrote to memory of 2024	2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	32
PID 2456 wrote to memory of 2024	2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	32
PID 2024 wrote to memory of 980	2024	cmd.exe	34
PID 2024 wrote to memory of 980	2024	cmd.exe	34
PID 2024 wrote to memory of 980	2024	cmd.exe	34
PID 2024 wrote to memory of 980	2024	cmd.exe	34
PID 2456 wrote to memory of 532	2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	35
PID 2456 wrote to memory of 532	2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	35
PID 2456 wrote to memory of 532	2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	35
PID 2456 wrote to memory of 532	2456	bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe	35
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 1780	532	svchost.exe	36
PID 532 wrote to memory of 2932	532	svchost.exe	37
PID 532 wrote to memory of 2932	532	svchost.exe	37
PID 532 wrote to memory of 2932	532	svchost.exe	37
PID 532 wrote to memory of 2932	532	svchost.exe	37
PID 532 wrote to memory of 2932	532	svchost.exe	37
PID 532 wrote to memory of 2932	532	svchost.exe	37
PID 532 wrote to memory of 2932	532	svchost.exe	37
PID 532 wrote to memory of 2932	532	svchost.exe	37
PID 532 wrote to memory of 848	532	svchost.exe	38
PID 532 wrote to memory of 848	532	svchost.exe	38
PID 532 wrote to memory of 848	532	svchost.exe	38
PID 532 wrote to memory of 848	532	svchost.exe	38
PID 532 wrote to memory of 848	532	svchost.exe	38
PID 532 wrote to memory of 848	532	svchost.exe	38
PID 532 wrote to memory of 848	532	svchost.exe	38
PID 532 wrote to memory of 848	532	svchost.exe	38
PID 848 wrote to memory of 2488	848	svchost.exe	39
PID 848 wrote to memory of 2488	848	svchost.exe	39
PID 848 wrote to memory of 2488	848	svchost.exe	39
PID 848 wrote to memory of 2488	848	svchost.exe	39
PID 848 wrote to memory of 2272	848	svchost.exe	41
PID 848 wrote to memory of 2272	848	svchost.exe	41
PID 848 wrote to memory of 2272	848	svchost.exe	41
PID 848 wrote to memory of 2272	848	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
"C:\Users\Admin\AppData\Local\Temp\bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe
  "C:\Users\Admin\AppData\Local\Temp\bd72f558aa6f09a22cb29da843205b7078e40daecf3f9cbc877424c885a8c0fdN.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\KPLMX.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:980
- - C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe
    "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1780
  - - C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe
      "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2932
  - - C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe
      "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:2180
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NAOO.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NAOO.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NAOO.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NAOO.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KPLMX.bat

Filesize
141B

MD5
eedf1bdeda7a9e6d314f346ae723cef1

SHA1
0680703a702f23e44ca855381c8764cfb7ec406e

SHA256
c8eed6be01e84beeef07e298e0db3a86e14d265f176034c1a1b6b386f3766920

SHA512
5d7081569bfea250054a49efea9d444ff7af9a351b959fec6197896622d9b0af4b32711c987493a088f2068834095e57ecd7856423b61fb5b950a7b704fdb364

Download Submit
\Users\Admin\AppData\Roaming\MSSN\svchost.exe

Filesize
1.1MB

MD5
9db64342fad92a23196d4a84fff0b984

SHA1
fe8f31708e5ae1ea666d05f48645066f63a33428

SHA256
4d6ea5db841ff2c75728bdc0a7a71ec439a4b538e40d8dd2dc437aa2ea8b35d8

SHA512
5b105bfac74c7d87813b55e9413e0d5ea489c7f2e4b766710189ef2e58143257aa18ce968de766eb8042d3822b35f31254423c6203015789a8f4f4bff5956bb9

Download Submit
memory/532-307-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/848-312-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/848-306-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1984-97-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1984-28-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1984-80-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1984-78-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1984-70-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1984-60-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1984-40-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1984-83-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1984-117-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1984-302-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1984-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1984-25-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/1984-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1984-0-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1984-136-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1984-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2456-165-0x0000000003790000-0x00000000038B1000-memory.dmp

Filesize
1.1MB

Download
memory/2456-140-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-304-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-310-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-134-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-132-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2456-130-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-128-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-126-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-178-0x0000000003790000-0x00000000038B1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-98-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-100-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-113-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-104-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-139-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-106-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-112-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-303-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-110-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2932-305-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2932-311-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download