3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe
Size

19KB
MD5

6103b71e8c01efb84c8673a6a83a6f20
SHA1

bcf90b4b43c65198aa605e9bc9246658524e851e
SHA256

3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491
SHA512

384a2af86b12398f7d27cf2f312f106df0bc1d510d313774337b7d75ce311629f2a12aac90ae43c9184950558176ef0658f00543067b8988bab86ecefac088f6
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5x5+gY7lAt7BDf8:g5BOFKksO1mE9B77777J77c77c77c71S

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3A3995.exe\""	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3A3995.exe\""	3A3995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3A3995.exe\""	3A3995STTUQT.exe

Executes dropped EXE 5 IoCs

pid	Process
2680	3A3995.exe
1056	3A3995STTUQT.exe
988	3A3995STTUQT.exe
684	3A3995.exe
1380	3A3995.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3A3995.exe = "C:\\Windows\\3A3995.exe"	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3A3995.exe = "C:\\Windows\\3A3995.exe"	3A3995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3A3995.exe = "C:\\Windows\\3A3995.exe"	3A3995STTUQT.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2912-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000015d76-3.dat	upx
behavioral1/memory/2680-15-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000015d87-18.dat	upx
behavioral1/memory/1056-23-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/988-25-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/988-30-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/684-35-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1380-37-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2912-43-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1380-45-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-46-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-47-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-48-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-49-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-50-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-51-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-52-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-53-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-57-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-58-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-59-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-60-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-61-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-62-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-64-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-66-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-67-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2680-68-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1056-69-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3A3995.exe	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe
File opened for modification	C:\Windows\3A3995STTUQT.exe	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3995STTUQT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3995STTUQT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3A3995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
3024	TASKKILL.exe
2564	TASKKILL.exe
2476	TASKKILL.exe
1636	TASKKILL.exe
940	TASKKILL.exe
1708	TASKKILL.exe
1064	TASKKILL.exe
2044	TASKKILL.exe
264	TASKKILL.exe
1872	TASKKILL.exe
900	TASKKILL.exe
300	TASKKILL.exe
1092	TASKKILL.exe
2836	TASKKILL.exe
2532	TASKKILL.exe
1108	TASKKILL.exe
2952	TASKKILL.exe
2520	TASKKILL.exe
2488	TASKKILL.exe
2824	TASKKILL.exe
1724	TASKKILL.exe
2848	TASKKILL.exe
1452	TASKKILL.exe
1856	TASKKILL.exe
1392	TASKKILL.exe
2724	TASKKILL.exe
2500	TASKKILL.exe
1356	TASKKILL.exe
2516	TASKKILL.exe
2412	TASKKILL.exe
1224	TASKKILL.exe
2420	TASKKILL.exe
1112	TASKKILL.exe
2560	TASKKILL.exe
2304	TASKKILL.exe
2196	TASKKILL.exe
1292	TASKKILL.exe
2236	TASKKILL.exe
1316	TASKKILL.exe
2644	TASKKILL.exe
1268	TASKKILL.exe
2968	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	TASKKILL.exe
Token: SeDebugPrivilege	1292	TASKKILL.exe
Token: SeDebugPrivilege	2304	TASKKILL.exe
Token: SeDebugPrivilege	2560	TASKKILL.exe
Token: SeDebugPrivilege	2564	TASKKILL.exe
Token: SeDebugPrivilege	2836	TASKKILL.exe
Token: SeDebugPrivilege	3024	TASKKILL.exe
Token: SeDebugPrivilege	1724	TASKKILL.exe
Token: SeDebugPrivilege	1224	TASKKILL.exe
Token: SeDebugPrivilege	2724	TASKKILL.exe
Token: SeDebugPrivilege	2476	TASKKILL.exe
Token: SeDebugPrivilege	2044	TASKKILL.exe
Token: SeDebugPrivilege	2824	TASKKILL.exe
Token: SeDebugPrivilege	1268	TASKKILL.exe
Token: SeDebugPrivilege	1064	TASKKILL.exe
Token: SeDebugPrivilege	1108	TASKKILL.exe
Token: SeDebugPrivilege	2196	TASKKILL.exe
Token: SeDebugPrivilege	1452	TASKKILL.exe
Token: SeDebugPrivilege	2952	TASKKILL.exe
Token: SeDebugPrivilege	2520	TASKKILL.exe
Token: SeDebugPrivilege	2848	TASKKILL.exe
Token: SeDebugPrivilege	2236	TASKKILL.exe
Token: SeDebugPrivilege	2412	TASKKILL.exe
Token: SeDebugPrivilege	2500	TASKKILL.exe
Token: SeDebugPrivilege	2532	TASKKILL.exe
Token: SeDebugPrivilege	1316	TASKKILL.exe
Token: SeDebugPrivilege	2644	TASKKILL.exe
Token: SeDebugPrivilege	2420	TASKKILL.exe
Token: SeDebugPrivilege	2488	TASKKILL.exe
Token: SeDebugPrivilege	1112	TASKKILL.exe
Token: SeDebugPrivilege	1356	TASKKILL.exe
Token: SeDebugPrivilege	264	TASKKILL.exe
Token: SeDebugPrivilege	2968	TASKKILL.exe
Token: SeDebugPrivilege	900	TASKKILL.exe
Token: SeDebugPrivilege	940	TASKKILL.exe
Token: SeDebugPrivilege	1872	TASKKILL.exe
Token: SeDebugPrivilege	1856	TASKKILL.exe
Token: SeDebugPrivilege	1092	TASKKILL.exe
Token: SeDebugPrivilege	300	TASKKILL.exe
Token: SeDebugPrivilege	2516	TASKKILL.exe
Token: SeDebugPrivilege	1392	TASKKILL.exe
Token: SeDebugPrivilege	1636	TASKKILL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe
2680	3A3995.exe
1056	3A3995STTUQT.exe
988	3A3995STTUQT.exe
684	3A3995.exe
1380	3A3995.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3024	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	28
PID 2912 wrote to memory of 3024	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	28
PID 2912 wrote to memory of 3024	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	28
PID 2912 wrote to memory of 3024	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	28
PID 2912 wrote to memory of 2564	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	29
PID 2912 wrote to memory of 2564	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	29
PID 2912 wrote to memory of 2564	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	29
PID 2912 wrote to memory of 2564	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	29
PID 2912 wrote to memory of 2560	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	30
PID 2912 wrote to memory of 2560	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	30
PID 2912 wrote to memory of 2560	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	30
PID 2912 wrote to memory of 2560	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	30
PID 2912 wrote to memory of 2836	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	31
PID 2912 wrote to memory of 2836	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	31
PID 2912 wrote to memory of 2836	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	31
PID 2912 wrote to memory of 2836	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	31
PID 2912 wrote to memory of 1224	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	32
PID 2912 wrote to memory of 1224	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	32
PID 2912 wrote to memory of 1224	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	32
PID 2912 wrote to memory of 1224	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	32
PID 2912 wrote to memory of 2412	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	34
PID 2912 wrote to memory of 2412	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	34
PID 2912 wrote to memory of 2412	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	34
PID 2912 wrote to memory of 2412	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	34
PID 2912 wrote to memory of 2304	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	36
PID 2912 wrote to memory of 2304	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	36
PID 2912 wrote to memory of 2304	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	36
PID 2912 wrote to memory of 2304	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	36
PID 2912 wrote to memory of 1724	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	37
PID 2912 wrote to memory of 1724	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	37
PID 2912 wrote to memory of 1724	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	37
PID 2912 wrote to memory of 1724	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	37
PID 2912 wrote to memory of 2196	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	38
PID 2912 wrote to memory of 2196	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	38
PID 2912 wrote to memory of 2196	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	38
PID 2912 wrote to memory of 2196	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	38
PID 2912 wrote to memory of 1708	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	39
PID 2912 wrote to memory of 1708	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	39
PID 2912 wrote to memory of 1708	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	39
PID 2912 wrote to memory of 1708	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	39
PID 2912 wrote to memory of 2420	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	46
PID 2912 wrote to memory of 2420	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	46
PID 2912 wrote to memory of 2420	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	46
PID 2912 wrote to memory of 2420	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	46
PID 2912 wrote to memory of 1064	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	48
PID 2912 wrote to memory of 1064	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	48
PID 2912 wrote to memory of 1064	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	48
PID 2912 wrote to memory of 1064	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	48
PID 2912 wrote to memory of 1292	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	49
PID 2912 wrote to memory of 1292	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	49
PID 2912 wrote to memory of 1292	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	49
PID 2912 wrote to memory of 1292	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	49
PID 2912 wrote to memory of 2044	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	50
PID 2912 wrote to memory of 2044	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	50
PID 2912 wrote to memory of 2044	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	50
PID 2912 wrote to memory of 2044	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	50
PID 2912 wrote to memory of 2680	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	56
PID 2912 wrote to memory of 2680	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	56
PID 2912 wrote to memory of 2680	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	56
PID 2912 wrote to memory of 2680	2912	3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe	56
PID 2680 wrote to memory of 1268	2680	3A3995.exe	57
PID 2680 wrote to memory of 1268	2680	3A3995.exe	57
PID 2680 wrote to memory of 1268	2680	3A3995.exe	57
PID 2680 wrote to memory of 1268	2680	3A3995.exe	57

C:\Users\Admin\AppData\Local\Temp\3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe
"C:\Users\Admin\AppData\Local\Temp\3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\3A3995.exe
  C:\Windows\3A3995.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\3A3995STTUQT.exe
    C:\Windows\3A3995STTUQT.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1056
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:264
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1356
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1112
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1636
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2516
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:940
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1392
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1092
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1872
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:900
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:300
  - - C:\Windows\3A3995STTUQT.exe
      C:\Windows\3A3995STTUQT.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:988
  - - C:\Windows\3A3995.exe
      C:\Windows\3A3995.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:684
- - C:\Windows\3A3995.exe
    C:\Windows\3A3995.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\3A3995.exe

Filesize
19KB

MD5
a9ce56760872bd1c3fe88a7c13cba8cd

SHA1
290b0970b71d9167ffce62cbc182f312b7d9f880

SHA256
96399a0b71e291237d757f9413c8a72ceecdb8bb6c00930de34465bf77ad4762

SHA512
22897c096ab6262d49a8cb8f870f8eaa1363cbc20bd5b1aa1ac52582a57a1b7e9dd0ff90b771825febd1775618493a03e8024d6f4d9b36f833ea56e54fc13dba

Download Submit
C:\Windows\3A3995STTUQT.exe

Filesize
19KB

MD5
c796d548f203c38c4abb1119e1c7c01e

SHA1
8cd964a9cce3c5878bddf1d47fe4f116f0fd61ba

SHA256
92e108907c577e683a266ac92155080ed6fe83d3b10ce4032d78b5397aa441d9

SHA512
496e87e8084f822d5d6492e55b334c00697598303765e7cd22cfc625b6399c6d0060da2758d6438c61580a2199596e9a7111048d6e763ed9c802950a63110538

Download Submit
memory/684-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/988-30-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/988-25-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-23-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-69-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-51-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-49-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1056-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1380-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1380-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-48-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-46-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-68-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-22-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2680-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2912-43-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2912-14-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download
memory/2912-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2912-13-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads