Analysis
-
max time kernel
318s -
max time network
325s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2024 09:01
Static task
static1
Behavioral task
behavioral1
Sample
Ref227982472 3611316041 有害物情報.Xlsx.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ref227982472 3611316041 有害物情報.Xlsx.exe
Resource
win10v2004-20240802-en
General
-
Target
Ref227982472 3611316041 有害物情報.Xlsx.exe
-
Size
644KB
-
MD5
2055e529b8767f5ebaee9afcefd16d91
-
SHA1
521d53678fbba3951f19dd2cfed6e4b0d5ef8914
-
SHA256
550aeabbe62d5a14363bac014c16acb456fd2d92ea227d5762a85a51466e3404
-
SHA512
e98333277ff85e147feb5efea6f0376bfbb2cd9bfa361337fdc40c5c211c626b8e7728326d40158e423b33f31eec0cdde3314dee8c19aa82042c747e6aaf01a3
-
SSDEEP
12288:gUxKiiSUMD8mBsdNnyVyPziLeSAkJuf3TBtN:gUxchMAfdgVUziqSAmud3
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/2084-100-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1228 powershell.exe 3020 powershell.exe 2432 powershell.exe 1712 powershell.exe 1048 powershell.exe 3740 powershell.exe 3008 powershell.exe 3008 powershell.exe 376 powershell.exe 1876 powershell.exe 392 powershell.exe 4956 powershell.exe 5048 powershell.exe 4532 powershell.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation sCWlgOWYFciIYD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation Ref227982472 3611316041 有害物情報.Xlsx.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation sCWlgOWYFciIYD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation sCWlgOWYFciIYD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation sCWlgOWYFciIYD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation sCWlgOWYFciIYD.exe -
Executes dropped EXE 13 IoCs
pid Process 2464 sCWlgOWYFciIYD.exe 2084 sCWlgOWYFciIYD.exe 2428 sCWlgOWYFciIYD.exe 696 sCWlgOWYFciIYD.exe 1548 sCWlgOWYFciIYD.exe 864 sCWlgOWYFciIYD.exe 3452 sCWlgOWYFciIYD.exe 2896 sCWlgOWYFciIYD.exe 1780 sCWlgOWYFciIYD.exe 4988 sCWlgOWYFciIYD.exe 4984 sCWlgOWYFciIYD.exe 4196 sCWlgOWYFciIYD.exe 4476 sCWlgOWYFciIYD.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 61 checkip.dyndns.org 69 checkip.dyndns.org -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\taskschd.msc mmc.exe File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2464 set thread context of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 2428 set thread context of 696 2428 sCWlgOWYFciIYD.exe 135 PID 1548 set thread context of 4984 1548 sCWlgOWYFciIYD.exe 148 PID 864 set thread context of 4196 864 sCWlgOWYFciIYD.exe 155 PID 2896 set thread context of 4476 2896 sCWlgOWYFciIYD.exe 162 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2344 2244 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ref227982472 3611316041 有害物情報.Xlsx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2988 schtasks.exe 2284 schtasks.exe 1640 schtasks.exe 4344 schtasks.exe 2532 schtasks.exe 3076 schtasks.exe 2312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 3008 powershell.exe 3008 powershell.exe 376 powershell.exe 376 powershell.exe 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 3008 powershell.exe 376 powershell.exe 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 2464 sCWlgOWYFciIYD.exe 1712 powershell.exe 1712 powershell.exe 2464 sCWlgOWYFciIYD.exe 2464 sCWlgOWYFciIYD.exe 2084 sCWlgOWYFciIYD.exe 2084 sCWlgOWYFciIYD.exe 1228 powershell.exe 1228 powershell.exe 1712 powershell.exe 1228 powershell.exe 2084 sCWlgOWYFciIYD.exe 2428 sCWlgOWYFciIYD.exe 3020 powershell.exe 3020 powershell.exe 2428 sCWlgOWYFciIYD.exe 2428 sCWlgOWYFciIYD.exe 1876 powershell.exe 1876 powershell.exe 696 sCWlgOWYFciIYD.exe 696 sCWlgOWYFciIYD.exe 3020 powershell.exe 1876 powershell.exe 696 sCWlgOWYFciIYD.exe 1548 sCWlgOWYFciIYD.exe 4956 powershell.exe 4956 powershell.exe 392 powershell.exe 392 powershell.exe 1548 sCWlgOWYFciIYD.exe 1548 sCWlgOWYFciIYD.exe 1548 sCWlgOWYFciIYD.exe 1548 sCWlgOWYFciIYD.exe 4984 sCWlgOWYFciIYD.exe 4984 sCWlgOWYFciIYD.exe 4956 powershell.exe 392 powershell.exe 864 sCWlgOWYFciIYD.exe 864 sCWlgOWYFciIYD.exe 2432 powershell.exe 2432 powershell.exe 5048 powershell.exe 5048 powershell.exe 864 sCWlgOWYFciIYD.exe 4196 sCWlgOWYFciIYD.exe 4196 sCWlgOWYFciIYD.exe 2432 powershell.exe 5048 powershell.exe 2896 sCWlgOWYFciIYD.exe 2896 sCWlgOWYFciIYD.exe 1048 powershell.exe 1048 powershell.exe 4532 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2888 mmc.exe 5032 mmc.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 5032 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe Token: SeIncBasePriorityPrivilege 2888 mmc.exe Token: 33 2888 mmc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2888 mmc.exe 5032 mmc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2888 mmc.exe 2888 mmc.exe 5032 mmc.exe 5032 mmc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 3008 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 97 PID 2244 wrote to memory of 3008 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 97 PID 2244 wrote to memory of 3008 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 97 PID 2244 wrote to memory of 376 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 99 PID 2244 wrote to memory of 376 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 99 PID 2244 wrote to memory of 376 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 99 PID 2244 wrote to memory of 2532 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 101 PID 2244 wrote to memory of 2532 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 101 PID 2244 wrote to memory of 2532 2244 Ref227982472 3611316041 有害物情報.Xlsx.exe 101 PID 2464 wrote to memory of 1712 2464 sCWlgOWYFciIYD.exe 117 PID 2464 wrote to memory of 1712 2464 sCWlgOWYFciIYD.exe 117 PID 2464 wrote to memory of 1712 2464 sCWlgOWYFciIYD.exe 117 PID 2464 wrote to memory of 1228 2464 sCWlgOWYFciIYD.exe 119 PID 2464 wrote to memory of 1228 2464 sCWlgOWYFciIYD.exe 119 PID 2464 wrote to memory of 1228 2464 sCWlgOWYFciIYD.exe 119 PID 2464 wrote to memory of 3076 2464 sCWlgOWYFciIYD.exe 121 PID 2464 wrote to memory of 3076 2464 sCWlgOWYFciIYD.exe 121 PID 2464 wrote to memory of 3076 2464 sCWlgOWYFciIYD.exe 121 PID 2464 wrote to memory of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 2464 wrote to memory of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 2464 wrote to memory of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 2464 wrote to memory of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 2464 wrote to memory of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 2464 wrote to memory of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 2464 wrote to memory of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 2464 wrote to memory of 2084 2464 sCWlgOWYFciIYD.exe 123 PID 440 wrote to memory of 2428 440 cmd.exe 126 PID 440 wrote to memory of 2428 440 cmd.exe 126 PID 440 wrote to memory of 2428 440 cmd.exe 126 PID 440 wrote to memory of 3124 440 cmd.exe 127 PID 440 wrote to memory of 3124 440 cmd.exe 127 PID 3124 wrote to memory of 5032 3124 eventvwr.exe 128 PID 3124 wrote to memory of 5032 3124 eventvwr.exe 128 PID 2428 wrote to memory of 3020 2428 sCWlgOWYFciIYD.exe 129 PID 2428 wrote to memory of 3020 2428 sCWlgOWYFciIYD.exe 129 PID 2428 wrote to memory of 3020 2428 sCWlgOWYFciIYD.exe 129 PID 2428 wrote to memory of 1876 2428 sCWlgOWYFciIYD.exe 131 PID 2428 wrote to memory of 1876 2428 sCWlgOWYFciIYD.exe 131 PID 2428 wrote to memory of 1876 2428 sCWlgOWYFciIYD.exe 131 PID 2428 wrote to memory of 2312 2428 sCWlgOWYFciIYD.exe 133 PID 2428 wrote to memory of 2312 2428 sCWlgOWYFciIYD.exe 133 PID 2428 wrote to memory of 2312 2428 sCWlgOWYFciIYD.exe 133 PID 2428 wrote to memory of 696 2428 sCWlgOWYFciIYD.exe 135 PID 2428 wrote to memory of 696 2428 sCWlgOWYFciIYD.exe 135 PID 2428 wrote to memory of 696 2428 sCWlgOWYFciIYD.exe 135 PID 2428 wrote to memory of 696 2428 sCWlgOWYFciIYD.exe 135 PID 2428 wrote to memory of 696 2428 sCWlgOWYFciIYD.exe 135 PID 2428 wrote to memory of 696 2428 sCWlgOWYFciIYD.exe 135 PID 2428 wrote to memory of 696 2428 sCWlgOWYFciIYD.exe 135 PID 2428 wrote to memory of 696 2428 sCWlgOWYFciIYD.exe 135 PID 440 wrote to memory of 1548 440 cmd.exe 136 PID 440 wrote to memory of 1548 440 cmd.exe 136 PID 440 wrote to memory of 1548 440 cmd.exe 136 PID 440 wrote to memory of 864 440 cmd.exe 137 PID 440 wrote to memory of 864 440 cmd.exe 137 PID 440 wrote to memory of 864 440 cmd.exe 137 PID 440 wrote to memory of 3452 440 cmd.exe 138 PID 440 wrote to memory of 3452 440 cmd.exe 138 PID 440 wrote to memory of 3452 440 cmd.exe 138 PID 440 wrote to memory of 2896 440 cmd.exe 139 PID 440 wrote to memory of 2896 440 cmd.exe 139 PID 440 wrote to memory of 2896 440 cmd.exe 139 PID 440 wrote to memory of 1780 440 cmd.exe 140 PID 440 wrote to memory of 1780 440 cmd.exe 140 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref227982472 3611316041 有害物情報.Xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Ref227982472 3611316041 有害物情報.Xlsx.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ref227982472 3611316041 有害物情報.Xlsx.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C62.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 17522⤵
- Program crash
PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4548,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:81⤵PID:1448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2244 -ip 22441⤵PID:4220
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2888
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exeC:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1228
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DBD.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3076
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3672
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exesCWlgOWYFciIYD.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5572.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2312
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:696
-
-
-
C:\Windows\system32\eventvwr.exeeventvwr2⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"3⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5032
-
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exesCWlgOWYFciIYD.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4956
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:392
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2988
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Executes dropped EXE
PID:4988
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exesCWlgOWYFciIYD.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3514.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2284
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4196
-
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exesCWlgOWYFciIYD.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exesCWlgOWYFciIYD.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1048
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D03.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1640
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4476
-
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exesCWlgOWYFciIYD.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3740
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3008
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4344
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵PID:760
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
1KB
MD536049bae97bba745c793444373453cb0
SHA1eb6e9a822944e8e207abba1a5e53f0183a1684f1
SHA256839fa1f9725719938ffa24533587b168bae2768f23ac09dccb3ad4ab8ae6abcd
SHA512a6584b7b435afeffb6becfbed82517087030eb23534fa50deecd02330bf36d633ba22e979e36b9c27e35885f9cc1cc9481dadc53cc265be61391e11a7c2c7cdb
-
Filesize
17KB
MD5b7634c69573635e26bed6977b181f776
SHA11f315ce5554f973dd9a7b1bc5be94de28e123f4f
SHA256e875e4b05f0f99a78b6a58be57367be6e3d484cd65fbbd9ba9f9ee6f98ca6f8b
SHA51267607f7dafc564d0adc627574ad96502e8aadf223395ee3810f0ed044b714bdf812b50dd9db5d81529edb4139cb7a2644658c148ab8afa1fea2581727ae6c463
-
Filesize
18KB
MD5f5f84382fce3e2f0fb5248b201fb88ef
SHA18bfd869cfc0be89e9638d9106bc9fdc4de5b551b
SHA25662eb1674b485dd4a5ec2ee5e366b1730a82cb51cac0e0ab01dc4b2412281b0de
SHA5125ecf9a18f28f646c8e71f081d27bcfdd15907027af5e656e6b13553f468c3f10ae770bf2e21d5771fd2dcc25987dd109dd542ea2bc3e86913d44db633a65c6ec
-
Filesize
18KB
MD5cef96b9d5532d74687af90bf6b27ce9b
SHA1b23aa3b2ceded3f0df9934f36f9e748b00ea1879
SHA25645ba5f5ab8c8e2b30769dc1ad6f7991f99db02ea62eb6fadfa7190534aa9ea52
SHA512faed2af8b936fd96fad7eea9746256634a24956ba4f7f47d7a9aa308e30e860e95531cee354872be4c84d5da05ff4c109230ec3f77fb25352724e5d5507a1ae8
-
Filesize
18KB
MD52a5b2180a4f8cfecf32a4655d58d0dec
SHA16b2e3f11a06d142ab2f59deaf4ccc6659618265a
SHA256d13f724f27e913c3c61ae7c098bcd4c9b82c229f1277dc4ef0c1631f8531ad10
SHA512a7e3187591db69200db45bbbdfa84ae49265be89bcb89b684b533b8690d89098d8d9c45037f8ffdb23df01710ae0cd82dc3fa477669676936066614c22e7402b
-
Filesize
18KB
MD531a55101a53461bcfbf47eb4da59c54b
SHA168731562a4841fcd72d7edda922239ce960f9ce8
SHA25643f1e68075130a45cdf5a83367656211c9c6e7279996b3535457e49d1d274fdf
SHA512fac6cdfb24c8923708ffe47a68efdcc3990a0ba87498fada9742cc3f3631d739cd57e5b2bf6926f661d43e6f9e0b8ae20984841d0c0b67e3ac3bd091ef647abc
-
Filesize
9KB
MD55d5e4ad4cc85ed7e1a6770342f183cfa
SHA18cb63a77a87f003c8ab295624e9b13ae641149d6
SHA25620eec6a0b0bbd43af3ce94e646e76962a71be1d3afc16afcc0fb92b7eb242e65
SHA512fefa94df9541556439c1001f45401a4c8981051891a07410080a253f33c0c0d218761689fbd8614b75b8bad676c1a14f043d987cca623becc987a0015d54774c
-
Filesize
18KB
MD5015b9d9c20926b87b3e9a54bcf7ba359
SHA15a32273090cb5237b8881c2b5d3cedde375a8c61
SHA256c2110098f1113db3c5b40637cbbef3871f79c29e2675fa26175884c3453c02cd
SHA512bbbc099541dc8c45a7bb47dc23d041d85144cbbb71cd27a1a62f41dd7fd86b16c048d34dba234a79a47c9fef5a06d459c4e71bd007c9ac0b17ce4845b56b3532
-
Filesize
18KB
MD5959985101b293100e1abfa0cd6f68950
SHA10fa015f3c45a13cd87e22ee5fb7110cd371e96fd
SHA256a4a84e463abd844af675f6a0da779f2f7e0c72c53fc3dfc9b13fb8d4ea1feb22
SHA5123cdade35ee9544b4cd18b0f5cb4cf8d87eb298422a937b99cf3e7a062f95711854fdc7bbb8164b88b4b11e18939ccb6880c33b300dfb29b5bdb5eaa9aded07a5
-
Filesize
18KB
MD5bcfed100bc898cc55bca0d0b40b17d22
SHA1aaa8b30d3ead353e08f1df99e7854b27c12397b9
SHA256b3cdf52636e54c85891757d708f7971e3e13c29b288dc9cb2fb7d4f8ac2ffea8
SHA512154756edf912fa7965ae3dc3d97b5489d8871068cc6cb9a1b185270118056128192a4c8577f997d124d74de3aa029881d4fdf1d585e9a4006f449ae4aec8dd2f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD55ab8594b92449c1cc0ebbfec2456645d
SHA1cd62052b078690971ee4ca38075589dbe32f7f81
SHA256dd6dc9ae24932eed3e19cee00f077be6f91a65d2ab22806190896326ab0cf22f
SHA51230847b3ecabb1138af782b07dbb7dcbaba7be8ccde4f7bd5680b4a437339430d04697ee3f606bb5873622259f88b0fda99b8d307a026a332d5d8501ddcdc9ec4
-
Filesize
644KB
MD52055e529b8767f5ebaee9afcefd16d91
SHA1521d53678fbba3951f19dd2cfed6e4b0d5ef8914
SHA256550aeabbe62d5a14363bac014c16acb456fd2d92ea227d5762a85a51466e3404
SHA512e98333277ff85e147feb5efea6f0376bfbb2cd9bfa361337fdc40c5c211c626b8e7728326d40158e423b33f31eec0cdde3314dee8c19aa82042c747e6aaf01a3