Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 19:26
Behavioral task
behavioral1
Sample
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
Resource
win10v2004-20240802-en
General
-
Target
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
-
Size
547KB
-
MD5
7c9c30680dd2f61cd7f5a93527cd2200
-
SHA1
2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982
-
SHA256
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83
-
SHA512
dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e
-
SSDEEP
6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.lamela.si - Port:
587 - Username:
[email protected] - Password:
2014viks5961lamela - Email To:
[email protected]
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2316 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 2108 icsys.icn.exe 2776 explorer.exe 1068 spoolsv.exe 2604 svchost.exe 2680 spoolsv.exe -
Loads dropped DLL 16 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeWerFault.exepid process 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 2108 icsys.icn.exe 2108 icsys.icn.exe 2776 explorer.exe 2776 explorer.exe 1068 spoolsv.exe 1068 spoolsv.exe 2604 svchost.exe 2604 svchost.exe 880 WerFault.exe 880 WerFault.exe 880 WerFault.exe 880 WerFault.exe 880 WerFault.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Drops file in Windows directory 6 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 880 2316 WerFault.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exespoolsv.exesvchost.exespoolsv.exeat.exeat.exe295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe icsys.icn.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe icsys.icn.exeexplorer.exesvchost.exepid process 2316 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 2108 icsys.icn.exe 2776 explorer.exe 2776 explorer.exe 2776 explorer.exe 2604 svchost.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe 2604 svchost.exe 2776 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2776 explorer.exe 2604 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription pid process Token: SeDebugPrivilege 2316 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 2108 icsys.icn.exe 2108 icsys.icn.exe 2776 explorer.exe 2776 explorer.exe 1068 spoolsv.exe 1068 spoolsv.exe 2604 svchost.exe 2604 svchost.exe 2680 spoolsv.exe 2680 spoolsv.exe 2776 explorer.exe 2776 explorer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription pid process target process PID 2256 wrote to memory of 2316 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 2256 wrote to memory of 2316 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 2256 wrote to memory of 2316 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 2256 wrote to memory of 2316 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 2256 wrote to memory of 2108 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 2256 wrote to memory of 2108 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 2256 wrote to memory of 2108 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 2256 wrote to memory of 2108 2256 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 2108 wrote to memory of 2776 2108 icsys.icn.exe explorer.exe PID 2108 wrote to memory of 2776 2108 icsys.icn.exe explorer.exe PID 2108 wrote to memory of 2776 2108 icsys.icn.exe explorer.exe PID 2108 wrote to memory of 2776 2108 icsys.icn.exe explorer.exe PID 2776 wrote to memory of 1068 2776 explorer.exe spoolsv.exe PID 2776 wrote to memory of 1068 2776 explorer.exe spoolsv.exe PID 2776 wrote to memory of 1068 2776 explorer.exe spoolsv.exe PID 2776 wrote to memory of 1068 2776 explorer.exe spoolsv.exe PID 1068 wrote to memory of 2604 1068 spoolsv.exe svchost.exe PID 1068 wrote to memory of 2604 1068 spoolsv.exe svchost.exe PID 1068 wrote to memory of 2604 1068 spoolsv.exe svchost.exe PID 1068 wrote to memory of 2604 1068 spoolsv.exe svchost.exe PID 2604 wrote to memory of 2680 2604 svchost.exe spoolsv.exe PID 2604 wrote to memory of 2680 2604 svchost.exe spoolsv.exe PID 2604 wrote to memory of 2680 2604 svchost.exe spoolsv.exe PID 2604 wrote to memory of 2680 2604 svchost.exe spoolsv.exe PID 2604 wrote to memory of 2932 2604 svchost.exe at.exe PID 2604 wrote to memory of 2932 2604 svchost.exe at.exe PID 2604 wrote to memory of 2932 2604 svchost.exe at.exe PID 2604 wrote to memory of 2932 2604 svchost.exe at.exe PID 2316 wrote to memory of 880 2316 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe WerFault.exe PID 2316 wrote to memory of 880 2316 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe WerFault.exe PID 2316 wrote to memory of 880 2316 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe WerFault.exe PID 2316 wrote to memory of 880 2316 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe WerFault.exe PID 2604 wrote to memory of 1064 2604 svchost.exe at.exe PID 2604 wrote to memory of 1064 2604 svchost.exe at.exe PID 2604 wrote to memory of 1064 2604 svchost.exe at.exe PID 2604 wrote to memory of 1064 2604 svchost.exe at.exe -
outlook_office_path 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
outlook_win_path 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exec:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 16883⤵
- Loads dropped DLL
- Program crash
PID:880 -
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\SysWOW64\at.exeat 19:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\at.exeat 19:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5f920230e6094623d76530db6111f64e8
SHA1cef2ad08c3c6d9ddf27e089072dd8dbee7b4ed54
SHA256d439d554faff7d985cf833480a5a9d7cac42a4b20b16a145d5f83551b879152f
SHA51290d72a7690d511841fad94424c6481f2d7a9b89d09fc9eb1a304eaf1f61dd605d8466f5a7d69b56432cecd595394864a6a39037782cfe9644c267b595737d71f
-
\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe
Filesize272KB
MD5b046211fe3f420a9ceb7663a560ece96
SHA1785a1cff39f2a75cbfffed3d718e9e026b3c80a1
SHA25696134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df
SHA5125a0fc701606682de24dfc1b8408b6d7c13205952128b211b9b7ef11a97871f2590d7c705b4032eab6a5661a1295fe4bc8bb58418b68e999e8fdd315009ca7eb3
-
Filesize
274KB
MD51cf16e75b8173523ed0d5ef4211b9f64
SHA111dbca355fc318803987ab9756bd27f3009734ed
SHA25670924977c57603c3f4f891951795650c96343308fff9ca30bff0140409c7d30c
SHA512147a33e14145a0f21edcc53cf21b5300385df2deb484fc6eaafceb7e5704c2ac544e2d7f90f59fc4c4888cdbb1136feadd87b02f8ecb42b5fe4063e551bec83d
-
Filesize
274KB
MD58fe63d1c9c95a1cbf481b65d09651f97
SHA1181aa9704343d57e0d1d5bbe3f1e68bdea0fc326
SHA2561ecf3e026dad74683ef9abf552a666bb2ed19f6fbafd75759f45e5ab27ca80e5
SHA512270180df9b2973c4c863d65ed67490bbf7b3ffa4826b3c32ae3ac16365c3c831a6d8759e7aeba6fea2976778b2e3743a7fdabc45bf8bd483ff6843db27a919bb
-
Filesize
274KB
MD51ba30b1d1fe50e91e9ee36fc36c8e76f
SHA1c0a9a00571fffd46ed0acd16adef61b7a966cd8a
SHA2568a4d4ac33a3c534bf07d7a817f904516061e49ab8f6fb8c46b69e08e62747dd1
SHA5129e767e624ea45facea8cdf6e340509e4f10f5e6b4f1d27727e0a105c47c6f34d0db672da6af46081c62a376e8746a019c9832e502e18e2e643f59cbe4d189489
-
Filesize
274KB
MD56ca353de2b586fdac3d49cdba8888c45
SHA15348bad152fdec8bc7c7e080d32a4b7b4877c9b8
SHA256019e36dcf0c7106769aba609a442f12fd3f5fa2741078dcfa9069e418e79459c
SHA512054ac53a3d2a7d59dc13c728ef3e221e2053f27392ce165c4228fd2bbc6fc55bae879be44bdab6da988557c41f14b5654415fd1f6a0601a2a2f43266dc2dc536