49e17ce8b1df637a71dfac483e9fef72f6747e4235cce3871a1bb3f3a1371127

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winscp-6-3-5.exe
Size

11.1MB
MD5

d77322dc956da781905d553e3feb9153
SHA1

89db51587ecfb071fe71add71050e2d9e5377539
SHA256

49e17ce8b1df637a71dfac483e9fef72f6747e4235cce3871a1bb3f3a1371127
SHA512

af2ec6d994f8e4fcf912cfa122136a2262991fccc46b6dc98963f83e1f8170010b3c03076b134e81b4bdb54a1d1353cfa1328afc4c206c97113929e71ef437d4
SSDEEP

196608:07YbPaZbS+UseezGoXBWC6KtWrFhxC7a2RfhFMdccHCxJG++ZztkrRJHpMt4eQ:tL+bpUsR/tWrzxCO21occifG+KtcNr

Score

7^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinSCP.exeWinSCP.exeWinSCP.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WinSCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WinSCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WinSCP.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 62 IoCs

Processes:

winscp-6-3-5.tmp

description	ioc	Process
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-P8QNC.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-DFUIG.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-ADK4P.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-U4TA7.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-AAK1O.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-RON3Q.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8LUSH.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\is-3LB1N.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-0Q7CO.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-F6M78.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-H419K.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\is-P79QG.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\is-M3RFD.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-FC6JM.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-0FDD4.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-9U2KR.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\unins000.msg	winscp-6-3-5.tmp
File opened for modification	C:\Program Files (x86)\WinSCP\unins000.dat	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\is-CTA64.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-RH4GP.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-CVEEG.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-9JBBD.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-O50NI.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-1LR61.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-JK5RS.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-4HUQP.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\is-CR1C8.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-05A9O.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-TIHH1.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-LO80S.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-SI0C7.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-M83I1.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-KTCJT.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-4ESQK.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-OLCGE.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-4UTA9.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-LOB7A.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-CH5P1.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-36DIN.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8PET4.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-NQVV1.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\unins000.dat	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\is-6L57O.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-4QHQ1.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-P7F5P.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-GS02T.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-8DIFF.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-SV8QN.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-SPIM0.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-EGTU6.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\is-L6078.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-9FGHD.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-Q7PRE.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-JKFUD.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-5LBSN.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-0S003.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-EB76D.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-5AK0N.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-KT78R.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-QKJHA.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-1635J.tmp	winscp-6-3-5.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-3MKNJ.tmp	winscp-6-3-5.tmp

Executes dropped EXE 4 IoCs

Processes:

winscp-6-3-5.tmpWinSCP.exeWinSCP.exeWinSCP.exe

pid	Process
2976	winscp-6-3-5.tmp
3020	WinSCP.exe
4576	WinSCP.exe
2176	WinSCP.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	Process
4920	regsvr32.exe
1540	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winscp-6-3-5.exewinscp-6-3-5.tmpregsvr32.exeWinSCP.exeWinSCP.exeWinSCP.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winscp-6-3-5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winscp-6-3-5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinSCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinSCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinSCP.exe

Modifies registry class 64 IoCs

Processes:

WinSCP.exeregsvr32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ftpes	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dav	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\ = "URL: dav Protocol"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\ = "URL: winscp-SFTP Protocol"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\ = "URL: winscp-HTTP Protocol"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\shell	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\URL Protocol	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ = "C:\\Program Files (x86)\\WinSCP\\DragExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\URL Protocol	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\shell	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\URL Protocol	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\ = "URL: winscp-FTPS Protocol"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-DAV	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\shell\open\command	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPES\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\ = "URL: winscp-DAVS Protocol"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\URL Protocol	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\shell\open	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPES\ = "URL: winscp-FTPES Protocol"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\shell\open\command	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\shell\open	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\URL Protocol	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\URL Protocol	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-SFTP	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPES\shell\open	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\EditFlags = "2"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\EditFlags = "2"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\shell\open\command	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\shell	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\EditFlags = "2"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scp\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\URL Protocol	WinSCP.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

WinSCP.exeWinSCP.exeWinSCP.exe

pid	Process
3020	WinSCP.exe
3020	WinSCP.exe
4576	WinSCP.exe
4576	WinSCP.exe
2176	WinSCP.exe
2176	WinSCP.exe
2176	WinSCP.exe
2176	WinSCP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winscp-6-3-5.tmp

pid	Process
2976	winscp-6-3-5.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WinSCP.exeWinSCP.exeWinSCP.exe

pid	Process
3020	WinSCP.exe
4576	WinSCP.exe
2176	WinSCP.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

winscp-6-3-5.exewinscp-6-3-5.tmpregsvr32.exe

description	pid	Process	procid_target
PID 2516 wrote to memory of 2976	2516	winscp-6-3-5.exe	82
PID 2516 wrote to memory of 2976	2516	winscp-6-3-5.exe	82
PID 2516 wrote to memory of 2976	2516	winscp-6-3-5.exe	82
PID 2976 wrote to memory of 4920	2976	winscp-6-3-5.tmp	91
PID 2976 wrote to memory of 4920	2976	winscp-6-3-5.tmp	91
PID 2976 wrote to memory of 4920	2976	winscp-6-3-5.tmp	91
PID 4920 wrote to memory of 1540	4920	regsvr32.exe	92
PID 4920 wrote to memory of 1540	4920	regsvr32.exe	92
PID 2976 wrote to memory of 3020	2976	winscp-6-3-5.tmp	94
PID 2976 wrote to memory of 3020	2976	winscp-6-3-5.tmp	94
PID 2976 wrote to memory of 3020	2976	winscp-6-3-5.tmp	94
PID 2976 wrote to memory of 4576	2976	winscp-6-3-5.tmp	96
PID 2976 wrote to memory of 4576	2976	winscp-6-3-5.tmp	96
PID 2976 wrote to memory of 4576	2976	winscp-6-3-5.tmp	96
PID 2976 wrote to memory of 2176	2976	winscp-6-3-5.tmp	97
PID 2976 wrote to memory of 2176	2976	winscp-6-3-5.tmp	97
PID 2976 wrote to memory of 2176	2976	winscp-6-3-5.tmp	97

C:\Users\Admin\AppData\Local\Temp\winscp-6-3-5.exe
"C:\Users\Admin\AppData\Local\Temp\winscp-6-3-5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\is-G3H4U.tmp\winscp-6-3-5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-G3H4U.tmp\winscp-6-3-5.tmp" /SL5="$4017E,10489221,930816,C:\Users\Admin\AppData\Local\Temp\winscp-6-3-5.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1540
- - C:\Program Files (x86)\WinSCP\WinSCP.exe
    "C:\Program Files (x86)\WinSCP\WinSCP.exe" /RegisterForDefaultProtocols
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Program Files (x86)\WinSCP\WinSCP.exe
    "C:\Program Files (x86)\WinSCP\WinSCP.exe" /ImportSitesIfAny
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4576
- - C:\Program Files (x86)\WinSCP\WinSCP.exe
    "C:\Program Files (x86)\WinSCP\WinSCP.exe" /Usage=TypicalInstallation:1,InstallationsUser+,InstallationParentProcess@,InstallationsFirstTypical+,LastInstallationAutomaticUpgrade:0,
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinSCP\DragExt64.dll

Filesize
480KB

MD5
be89ea8516602a811554df2c62c811dd

SHA1
f535562499dee9830338ceb7549659655022b4b2

SHA256
ab0ca9bea36ae579c28832e4f0b80a0675428adad27a5866aec220b73c73822a

SHA512
af4cbe6b051efd95b999a5eaedb720c7994ae1673b928ceb762d9b76cf70e4b8cd537a2891905d054d751e6542d524fc062e29ccadbb677bb806bb962436b277

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\ArchiveDownload.WinSCPextension.ps1

Filesize
6KB

MD5
b16082ceeb34da39af1d52adc88be7db

SHA1
b7719fec4c89fe09904ae5fecf96aa364914e57e

SHA256
beee09ea768f58f29f03025984e0ce8fe4f8fd8c9cc454d9fa3869ba679f5356

SHA512
bb6509a92048f4a8219ec91c9b7e75d0453ee026f91e38daab33ff7af8022f690f2e31c6b6767010ae3ae0530c854ed92a458e2c1f42d11905bb1231e32fcdf5

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\BatchRename.WinSCPextension.ps1

Filesize
4KB

MD5
2ed11efbb12a1e8de4197b5432321958

SHA1
ed6add9f956866895ed2d55115f74061d8dd9b39

SHA256
7e605503bc77f9fec8f5b10ee6fd1e5da273ca8b8c213985e75069a66deee649

SHA512
acfbcad5dfa662f336f57db7d6975df53194faf985d1c8e874936885926fe846665c1e654026a91e6a6bec2f0ace2efc1680a17212f4278136009c5a721230c0

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\CompareFiles.WinSCPextension.ps1

Filesize
2KB

MD5
4bec7ccde4a9b4881cb17a5970075988

SHA1
6d99f33b90547064bba5f921fc0933de35fcad33

SHA256
4d2accf3e0ca1b266fc098eb88cbeaf59d9a1e5818f57aaaf57c2831da64c750

SHA512
205a083de0c60c741e59c19c2bb7129d3ead4ed8a136bf851a0b32c88548f4985226f1a971522497bc40b5a09c7c439b285bfaa2100c546a3d88086a468e7561

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\GenerateHttpUrl.WinSCPextension.ps1

Filesize
3KB

MD5
7b02c62423d08d7c340a530f85261534

SHA1
f57fc70cac8655e1ac75abfcd83d623f83778b89

SHA256
737c824e719e9e5cc43048383f8d7c7717bcb35ba37e07624c855e258d3753cf

SHA512
1cee9e7ac2eea1e47dfa6d8a81b5d6ed0540db83d5280b9a4983f4dd23fba8de79a5833afba413f1bfa0189aae860079a671e18f37716b48b4d1a4f39038f663

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\KeepLocalUpToDate.WinSCPextension.ps1

Filesize
6KB

MD5
afb3c633208ca9a8d7f768bf4fec30f1

SHA1
912dfa1e3f0ec68869904cd2aad590f1ab35052c

SHA256
1753cf7c7f64b4eb2a81540a1081e306360ace5c43e5cf47c346b8568d86f1ce

SHA512
b94254bd6a5d8431017bf6938e0d29dc08f42e540c9866a3881227d3be83e90bea65b45de0b9e82529e2fe1f597ca6d0729ae9ee000bf14be95cefc9af682a4f

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\SearchText.WinSCPextension.ps1

Filesize
3KB

MD5
d26c1a56f63d3682da6e676b606894af

SHA1
e18ed1d358dc0026ecf64f49cc5f7b4c687523c3

SHA256
6b9f82c04625443346c74b907fb96d8319d22bc5a6d946fcc7a7c19c67b0757c

SHA512
dffbba900e510deca45f24af1786a0cd4d5f97b6c6bd6a219bdaf74d773ed42fdbbc9490dcb457063e879d46eba047225ebf40f1110e18195d53de607b4baf07

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\SynchronizeAnotherServer.WinSCPextension.ps1

Filesize
10KB

MD5
680bbba778a319ba57ccc5c5c9f50c03

SHA1
12705a80f1be125f12a5c6e8511deccdba8bbec6

SHA256
e73b3b68425691605d643e53ac729426b52168585d4b06234cfd8d592828b019

SHA512
94983f38ecbc271b5452dee0777d0b669a106a0f8a9f23bfe528412ec0c75f2d249e2fb964f71d21d5bebf0f79952bf4bdc3af18f2678a2dbb32511d1259c84b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\VerifyFileChecksum.WinSCPextension.ps1

Filesize
2KB

MD5
e4eb33335b663fc23aa03ab6ef80cb8d

SHA1
0db1095d82e27ef352d96a8f36ac022f035ce90d

SHA256
dbdf82b86dd366dcc71edbae46f7008910e2be3f420b79e34159a81df1b39534

SHA512
4f9df209721f293896c59a4db390ca2875d705625a1151f0b1481e37db6537480cf29ea1e8311dcea0643ae8e4f130efcda27d9246f8058b2765ef1b3a98138b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\ZipUpload.WinSCPextension.ps1

Filesize
5KB

MD5
67cce258db2feab972d3417ed842a1fb

SHA1
9e69890499496cf92092274240a2c102068d2dd9

SHA256
561493f6262456b33cc46090080e26a8f6f9f1a0226649acba491ae6d2655ad6

SHA512
5aa6dd2c70250559450759d42e168b66cedb22718e3e6bcc85f1abd94657db2c8305029f102047f588fce0796c9e44f04f992ec407e9b0d4bd23b2c301a98153

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe

Filesize
21.9MB

MD5
7c743153124ba4d8ce99c7dfc77f1c06

SHA1
c5612aeab0d59480bd5a7d6f9e41e0b33470ec1b

SHA256
8eb7e3e8f3ee31d382359a8a232c984bdaa130584cad11683749026e5df1fdc3

SHA512
8eeba7ff3f7a3cd0451cb6377db5f9542d47776b13bf96d6f9e693f4a1c6d34cbe68b12448920dea85dc3584773abe78c410e0f5803c8d149c616f47d6986cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G3H4U.tmp\winscp-6-3-5.tmp

Filesize
3.1MB

MD5
11878001a28ce434f6eb02aa85c3199b

SHA1
47dd4e5fb52236913b63d4b520775ba0685a8334

SHA256
b3a2140b8ca0babc75daea00d59a3804b616b10bacf2559a3b3f510298882065

SHA512
9afa2daffea483a57f0d85bce9e598792714433bcda3f100562f60066e84d5b506c79b638c20c859c80f039e4b784ad0adce6d10cf059503e624b0fb05ce5be0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms

Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
memory/2176-190-0x00000000001E0000-0x0000000001872000-memory.dmp

Filesize
22.6MB

Download
memory/2176-199-0x00000000001E0000-0x0000000001872000-memory.dmp

Filesize
22.6MB

Download
memory/2516-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2516-20-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2516-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2516-208-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2976-21-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/2976-6-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/2976-23-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/2976-25-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/2976-201-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/2976-207-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/3020-161-0x00000000001E0000-0x0000000001872000-memory.dmp

Filesize
22.6MB

Download
memory/3020-175-0x00000000001E0000-0x0000000001872000-memory.dmp

Filesize
22.6MB

Download
memory/4576-187-0x00000000001E0000-0x0000000001872000-memory.dmp

Filesize
22.6MB

Download