renamer | 0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Size

1.2MB
MD5

0aaaf1668decb824d75242df795ee7b0
SHA1

df803cfda6898ce64d5a5d498875c324b1b17f2e
SHA256

0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8
SHA512

2b746820c3cb54cd3978c2596f64db59d451481ec93dc6c454590f67902487ec691a76fb6b5c93b0945e3a4c02277004cd08cadc45b338674f67f64794bf8d34
SSDEEP

24576:Rj/ZAILiXtDtrn+LCHVYmpRqQYAe9GIdUfd40Qb4B/cWy52:RT+gibn++HV3pcQY7bdU1Qu/BM2

Score

10^/10

renamer discovery persistence worm

Malware Config

Signatures

Detects Renamer worm. 2 IoCs

Renamer aka Grename is worm written in Delphi.

resource	yara_rule
behavioral2/memory/916-68-0x0000000000730000-0x000000000080B000-memory.dmp	family_renamer
behavioral2/memory/916-73-0x0000000000730000-0x000000000080B000-memory.dmp	family_renamer

Renamer, Grenam
Renamer aka Grenam is a worm written in Delphi.
worm renamer

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	LookupSvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	AeLookupSvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	secdrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ProfSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	secdrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

Executes dropped EXE 16 IoCs

pid	Process
1148	LookupSvi.exe
1560	secdrv.exe
396	secdrv.exe
2612	secdrv.exe
2868	AeLookupSvi.exe
3112	secdrv.exe
5052	ProfSvc.exe
4436	ProfSvc.exe
4700	ProfSvc.exe
2060	ProfSvc.exe
4800	secdrv.exe
4276	LookupSvi.exe
4384	ProfSvc.exe
624	secdrv.exe
4668	LookupSvi.exe
1568	AeLookupSvi.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe"	AeLookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe"	AeLookupSvi.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 3640 set thread context of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 1440 set thread context of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 5060 set thread context of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 3948 set thread context of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 1560 set thread context of 396	1560	secdrv.exe	99
PID 396 set thread context of 2612	396	secdrv.exe	100
PID 4564 set thread context of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 2612 set thread context of 3112	2612	secdrv.exe	103
PID 5052 set thread context of 4436	5052	ProfSvc.exe	105
PID 4436 set thread context of 4700	4436	ProfSvc.exe	106
PID 2676 set thread context of 916	2676	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	107
PID 4700 set thread context of 2060	4700	ProfSvc.exe	111
PID 3112 set thread context of 4800	3112	secdrv.exe	112
PID 2060 set thread context of 4384	2060	ProfSvc.exe	114
PID 4800 set thread context of 624	4800	secdrv.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4964	916	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AeLookupSvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProfSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LookupSvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProfSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AeLookupSvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProfSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProfSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LookupSvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProfSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secdrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LookupSvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Token: SeDebugPrivilege	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Token: SeDebugPrivilege	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Token: SeDebugPrivilege	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Token: SeDebugPrivilege	1148	LookupSvi.exe
Token: SeDebugPrivilege	1560	secdrv.exe
Token: SeDebugPrivilege	396	secdrv.exe
Token: SeDebugPrivilege	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Token: SeDebugPrivilege	2612	secdrv.exe
Token: SeDebugPrivilege	2868	AeLookupSvi.exe
Token: SeDebugPrivilege	5052	ProfSvc.exe
Token: SeDebugPrivilege	4436	ProfSvc.exe
Token: SeDebugPrivilege	2676	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
Token: SeDebugPrivilege	4700	ProfSvc.exe
Token: SeDebugPrivilege	3112	secdrv.exe
Token: SeDebugPrivilege	4276	LookupSvi.exe
Token: SeDebugPrivilege	2060	ProfSvc.exe
Token: SeDebugPrivilege	4800	secdrv.exe
Token: SeDebugPrivilege	4668	LookupSvi.exe
Token: SeDebugPrivilege	1568	AeLookupSvi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 3640 wrote to memory of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 3640 wrote to memory of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 3640 wrote to memory of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 3640 wrote to memory of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 3640 wrote to memory of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 3640 wrote to memory of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 3640 wrote to memory of 1440	3640	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	84
PID 1440 wrote to memory of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 1440 wrote to memory of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 1440 wrote to memory of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 1440 wrote to memory of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 1440 wrote to memory of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 1440 wrote to memory of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 1440 wrote to memory of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 1440 wrote to memory of 5060	1440	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	85
PID 5060 wrote to memory of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 5060 wrote to memory of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 5060 wrote to memory of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 5060 wrote to memory of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 5060 wrote to memory of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 5060 wrote to memory of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 5060 wrote to memory of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 5060 wrote to memory of 3948	5060	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	86
PID 3948 wrote to memory of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 3948 wrote to memory of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 3948 wrote to memory of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 3948 wrote to memory of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 3948 wrote to memory of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 3948 wrote to memory of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 3948 wrote to memory of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 3948 wrote to memory of 4564	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	95
PID 3948 wrote to memory of 1148	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	97
PID 3948 wrote to memory of 1148	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	97
PID 3948 wrote to memory of 1148	3948	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	97
PID 1148 wrote to memory of 1560	1148	LookupSvi.exe	98
PID 1148 wrote to memory of 1560	1148	LookupSvi.exe	98
PID 1148 wrote to memory of 1560	1148	LookupSvi.exe	98
PID 1560 wrote to memory of 396	1560	secdrv.exe	99
PID 1560 wrote to memory of 396	1560	secdrv.exe	99
PID 1560 wrote to memory of 396	1560	secdrv.exe	99
PID 1560 wrote to memory of 396	1560	secdrv.exe	99
PID 1560 wrote to memory of 396	1560	secdrv.exe	99
PID 1560 wrote to memory of 396	1560	secdrv.exe	99
PID 1560 wrote to memory of 396	1560	secdrv.exe	99
PID 1560 wrote to memory of 396	1560	secdrv.exe	99
PID 396 wrote to memory of 2612	396	secdrv.exe	100
PID 396 wrote to memory of 2612	396	secdrv.exe	100
PID 396 wrote to memory of 2612	396	secdrv.exe	100
PID 396 wrote to memory of 2612	396	secdrv.exe	100
PID 396 wrote to memory of 2612	396	secdrv.exe	100
PID 396 wrote to memory of 2612	396	secdrv.exe	100
PID 396 wrote to memory of 2612	396	secdrv.exe	100
PID 396 wrote to memory of 2612	396	secdrv.exe	100
PID 4564 wrote to memory of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 4564 wrote to memory of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 4564 wrote to memory of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 4564 wrote to memory of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 4564 wrote to memory of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 4564 wrote to memory of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 4564 wrote to memory of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 4564 wrote to memory of 2676	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	101
PID 4564 wrote to memory of 2868	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	102
PID 4564 wrote to memory of 2868	4564	0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe	102

C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
"C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"
        5⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
      - C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe"
        7⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 432
        8⤵
        Program crash
        
        PID:4964
      - C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
    - - C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 916 -ip 916
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8N.exe.log

Filesize
676B

MD5
3bc2150211e33cd343b025da5a9b1457

SHA1
a180ee6e62a496a226590390651a1d3708c7b89c

SHA256
ff2e05f53cc9b927bed429bb2df53290223b459c49be1bea6b0ef13c52903787

SHA512
e192903a8d0855203615c2ddd60c45c791492327fcd8a025e1dd1744cc2a526a4e90b8619e19b170f3ed808f3cbe4c839dc86fc70d97c5b0fb86ea529b78442c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

Filesize
7KB

MD5
54b446b04c83570cc974ed428b416a63

SHA1
f6e9eb6319a45d381baef998ce45e50f247cbc7d

SHA256
ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

SHA512
0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

Filesize
13KB

MD5
cf7e259dd0225ae86a29f5952bcb5b4d

SHA1
4c6b2363a754bcaa07edeee5b4837b464cfb5d5c

SHA256
bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8

SHA512
91c469f7b4d3c95177ccb013e3c16fe61fffa1fd631857f44bb335382b6c0c80d8bb178e72140178716312f49efbee45ccbe3467a01099561ab3ddf33b412b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Filesize
1.2MB

MD5
0aaaf1668decb824d75242df795ee7b0

SHA1
df803cfda6898ce64d5a5d498875c324b1b17f2e

SHA256
0a6d88e0e25fc2d08af26da2de847c09c078942b06ce19adc0c06f44f5b3c5f8

SHA512
2b746820c3cb54cd3978c2596f64db59d451481ec93dc6c454590f67902487ec691a76fb6b5c93b0945e3a4c02277004cd08cadc45b338674f67f64794bf8d34

Download Submit
memory/624-101-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/916-73-0x0000000000730000-0x000000000080B000-memory.dmp

Filesize
876KB

Download
memory/916-68-0x0000000000730000-0x000000000080B000-memory.dmp

Filesize
876KB

Download
memory/1440-8-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/1440-9-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/1440-6-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/1440-16-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/1440-10-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/1440-4-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2612-42-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3112-56-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3640-2-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/3640-3-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/3640-0-0x0000000075062000-0x0000000075063000-memory.dmp

Filesize
4KB

Download
memory/3640-7-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/3640-1-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/3948-19-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/3948-21-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/3948-40-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/4564-24-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/5060-20-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/5060-17-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/5060-15-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/5060-14-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download
memory/5060-13-0x0000000075060000-0x0000000075611000-memory.dmp

Filesize
5.7MB

Download