fcc272c17085628dc108426a9aeea8a55ecaf9a68c4756cbe7da7bbbda77aed9

Analysis

max time kernel
94s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Internet Explorer/iediagcmd.exe
Size

528KB
MD5

e7276e0f11dc763ee18dedfc7ee31b7c
SHA1

da3e7ccf857aa0a19921b2f45d33269d41d7e513
SHA256

0ec05d16b1ae0b2362e521902796c32ac9cd3cbbb05e56b564902229a32297a0
SHA512

a028275679b84c886144640b7e6e35e3a0ec0d747995a002d3859938d2b37f16f86a36b621894be1376e77a6bf176828e0795c8f9e90d571866a868906bf74c7
SSDEEP

6144:kkZIE1d78DBfKJcfh2mq1Zi2H2vAwP5gZpOZ1INeWe9Rlvm/JTIbvzKJcfh2m213:kk7ADBfpq1Zi2HOKOXIwgT8p21ZZ

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2380	netsh.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
648	ipconfig.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{7CF6ABDB-10A1-454D-BE70-1DD2F9BF3EDA}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	iediagcmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2352	dxdiag.exe
2352	dxdiag.exe
948	iediagcmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe
Token: SeSecurityPrivilege	948	iediagcmd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
948	iediagcmd.exe
948	iediagcmd.exe
2352	dxdiag.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2352	948	iediagcmd.exe	83
PID 948 wrote to memory of 2352	948	iediagcmd.exe	83
PID 948 wrote to memory of 648	948	iediagcmd.exe	86
PID 948 wrote to memory of 648	948	iediagcmd.exe	86
PID 948 wrote to memory of 3180	948	iediagcmd.exe	88
PID 948 wrote to memory of 3180	948	iediagcmd.exe	88
PID 948 wrote to memory of 4020	948	iediagcmd.exe	90
PID 948 wrote to memory of 4020	948	iediagcmd.exe	90
PID 948 wrote to memory of 2380	948	iediagcmd.exe	92
PID 948 wrote to memory of 2380	948	iediagcmd.exe	92
PID 948 wrote to memory of 4908	948	iediagcmd.exe	94
PID 948 wrote to memory of 4908	948	iediagcmd.exe	94
PID 948 wrote to memory of 2784	948	iediagcmd.exe	96
PID 948 wrote to memory of 2784	948	iediagcmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Internet Explorer\iediagcmd.exe
"C:\Users\Admin\AppData\Local\Temp\Internet Explorer\iediagcmd.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\system32\dxdiag.exe
  "C:\Windows\system32\dxdiag.exe" /x C:\Users\Admin\AppData\Local\Temp\dxdiag.xml
  2⤵
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2352
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" /all
  2⤵
  - Gathers network information
  PID:648
- C:\Windows\SYSTEM32\route.exe
  "route" print
  2⤵
  PID:3180
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" in tcp show global
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4020
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall show rule name=all verbose
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2380
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" winsock show catalog
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4908
- C:\Windows\SYSTEM32\makecab.exe
  "makecab.exe" /F "C:\Users\Admin\AppData\Local\Temp\iediag_makecab_directives.txt"
  2⤵
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IEDiag.json

Filesize
26KB

MD5
25c5e888f2739f7a22835f4115152a59

SHA1
073c5c117230dff53b80e50e7a088b242d87e277

SHA256
d6e9979dc4fa5b17902a15999e17bfd9792304f0642629245d654874cd646719

SHA512
43c9d46083304ea536cf36281754c5030fa450b6f02966c21856cf317823630856b3699c5e510f1f31a2b94efb538b0a7eadf4c3f170770d09961e40e0eefbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEDiag.xml

Filesize
2.2MB

MD5
619676df66d1e2930389dae2e1f0aa3b

SHA1
e7f8b89792ce585fd1e30a018c8f2ea34b98685c

SHA256
04de6dbb93e64f1450a5469dfaa6830dcfffc60eee21f26ed61b83ee4dc7f920

SHA512
6ca6bd33b6939e4bb53cb171b081fc7ee40e60a7d5f9e13cbea2f66bbe50bdff09e1a17a098bf983283910fb6505522df220123e8826b0ba9eb8956003e8dea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxdiag.xml

Filesize
172KB

MD5
4cc5b5a08d76602b2c878bdbb5a91f3a

SHA1
4d2e3d539aa321077939724ece1fee2337ced3c9

SHA256
4eca901e03993c298beed88dbc95be88a715e0bbcfd840ab7b5dc82e5263f552

SHA512
bfad4ba4fc635ad5c0b444f0d62dc15ca9279ffa9bebcb81e69db7ba3bf2d5b8b40bc5cd55b391f576be2dd60d369f78c8f3d84ad2aac2dd813e3a139bae4d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\iediag_makecab_directives.txt

Filesize
515B

MD5
14c148857af11ebcee263a2fb2b359ee

SHA1
710cb526ed69db7fdcc5da6b49241f70101e12fb

SHA256
810a37010bd4e6eed276310610dc4ebc7cc91535edf65e6ba6d9ed6edbe793ac

SHA512
d47ff7bdb40d518cf8daed410f29fea0f990457ed2da25ff2840a3bdcda77abe0b1b9948198a105a217fadbd4e4eed80fd0eb4338db7202892b9b4b910189e12

Download Submit
memory/948-5-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-4-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-6-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-0-0x00007FF8FA5E3000-0x00007FF8FA5E5000-memory.dmp

Filesize
8KB

Download
memory/948-92-0x000002271FF00000-0x0000022720657000-memory.dmp

Filesize
7.3MB

Download
memory/948-93-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-3-0x0000022720B70000-0x0000022720D32000-memory.dmp

Filesize
1.8MB

Download
memory/948-37-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-2-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-41-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-40-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-39-0x000002271FF00000-0x0000022720657000-memory.dmp

Filesize
7.3MB

Download
memory/948-38-0x00007FF8FA5E0000-0x00007FF8FB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/948-1-0x00007FF63A3D0000-0x00007FF63A454000-memory.dmp

Filesize
528KB

Download
memory/948-35-0x0000022721270000-0x0000022721798000-memory.dmp

Filesize
5.2MB

Download
memory/948-36-0x00007FF8FA5E3000-0x00007FF8FA5E5000-memory.dmp

Filesize
8KB

Download
memory/2352-7-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-13-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-14-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-15-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-16-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-17-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-18-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-19-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-9-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download
memory/2352-8-0x0000028749D20000-0x0000028749D21000-memory.dmp

Filesize
4KB

Download