c73137fd1f2945fb1effcb951a865070700fc2c7f6b646ee7532394134e59e95

Analysis

max time kernel
120s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NODKeygen.exe
Size

603KB
MD5

6b27da644353449db17f11c719d41faa
SHA1

cb77bf1827298e3c1d6f990b6bcac2dbaaaf26d3
SHA256

3984476ed5d3e9eb74667e766a1785800ffd78e0088608dd54950fa31460b2e0
SHA512

3fd7c521e9f615675f7e70c4e39d794b537a7a48c15e74dd73abb14c309da66a1802574d588f26b94b9cc5e3c5ea390977346162ebcb0709045ffeb1eb41387f
SSDEEP

12288:I47B6s5kmIpMvdznMoB+SbPDn1OHnrCxc9eDQbd4laK:7pesdMoB+GncgdsbiaK

Score

7^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\C957.tmp	codec.exe

Executes dropped EXE 2 IoCs

pid	Process
2368	NODKeygen.exe
3032	codec.exe

Loads dropped DLL 10 IoCs

pid	Process
1356	NODKeygen.exe
1356	NODKeygen.exe
2368	NODKeygen.exe
2368	NODKeygen.exe
2368	NODKeygen.exe
1356	NODKeygen.exe
1356	NODKeygen.exe
3032	codec.exe
3032	codec.exe
3032	codec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon.exe = "C:\\Windows\\system32\\winlogon.exe"	NODKeygen.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NODKeygen.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winlogon.exe	NODKeygen.exe
File opened for modification	C:\Windows\system32\spool\PRTPROCS\x64\C957.tmp	codec.exe
File created	C:\Windows\SysWOW64\winlogon.exe	NODKeygen.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2872	2368	NODKeygen.exe	34
PID 2368 set thread context of 2868	2368	NODKeygen.exe	35
PID 2368 set thread context of 2640	2368	NODKeygen.exe	36

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-34-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2640-35-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2872-33-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NODKeygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NODKeygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	codec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDB8C071-822D-11EF-AD2E-6E295C7D81A3} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDBB48E1-822D-11EF-AD2E-6E295C7D81A3} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDBB21D1-822D-11EF-AD2E-6E295C7D81A3} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3032	codec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2872	IEXPLORE.EXE
2868	IEXPLORE.EXE
2640	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2368	1356	NODKeygen.exe	30
PID 1356 wrote to memory of 2368	1356	NODKeygen.exe	30
PID 1356 wrote to memory of 2368	1356	NODKeygen.exe	30
PID 1356 wrote to memory of 2368	1356	NODKeygen.exe	30
PID 1356 wrote to memory of 2368	1356	NODKeygen.exe	30
PID 1356 wrote to memory of 2368	1356	NODKeygen.exe	30
PID 1356 wrote to memory of 2368	1356	NODKeygen.exe	30
PID 1356 wrote to memory of 3032	1356	NODKeygen.exe	31
PID 1356 wrote to memory of 3032	1356	NODKeygen.exe	31
PID 1356 wrote to memory of 3032	1356	NODKeygen.exe	31
PID 1356 wrote to memory of 3032	1356	NODKeygen.exe	31
PID 1356 wrote to memory of 3032	1356	NODKeygen.exe	31
PID 1356 wrote to memory of 3032	1356	NODKeygen.exe	31
PID 1356 wrote to memory of 3032	1356	NODKeygen.exe	31
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2872	2368	NODKeygen.exe	34
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2868	2368	NODKeygen.exe	35
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2368 wrote to memory of 2640	2368	NODKeygen.exe	36
PID 2872 wrote to memory of 1784	2872	IEXPLORE.EXE	37
PID 2872 wrote to memory of 1784	2872	IEXPLORE.EXE	37
PID 2872 wrote to memory of 1784	2872	IEXPLORE.EXE	37
PID 2872 wrote to memory of 1784	2872	IEXPLORE.EXE	37
PID 2872 wrote to memory of 1784	2872	IEXPLORE.EXE	37
PID 2872 wrote to memory of 1784	2872	IEXPLORE.EXE	37
PID 2872 wrote to memory of 1784	2872	IEXPLORE.EXE	37
PID 2640 wrote to memory of 2696	2640	IEXPLORE.EXE	38
PID 2640 wrote to memory of 2696	2640	IEXPLORE.EXE	38
PID 2640 wrote to memory of 2696	2640	IEXPLORE.EXE	38
PID 2640 wrote to memory of 2696	2640	IEXPLORE.EXE	38
PID 2640 wrote to memory of 2696	2640	IEXPLORE.EXE	38
PID 2640 wrote to memory of 2696	2640	IEXPLORE.EXE	38
PID 2640 wrote to memory of 2696	2640	IEXPLORE.EXE	38
PID 2868 wrote to memory of 1120	2868	IEXPLORE.EXE	39
PID 2868 wrote to memory of 1120	2868	IEXPLORE.EXE	39
PID 2868 wrote to memory of 1120	2868	IEXPLORE.EXE	39
PID 2868 wrote to memory of 1120	2868	IEXPLORE.EXE	39
PID 2868 wrote to memory of 1120	2868	IEXPLORE.EXE	39
PID 2868 wrote to memory of 1120	2868	IEXPLORE.EXE	39
PID 2868 wrote to memory of 1120	2868	IEXPLORE.EXE	39

C:\Users\Admin\AppData\Local\Temp\ NODKeygen.exe
"C:\Users\Admin\AppData\Local\Temp\ NODKeygen.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\NODKeygen.exe
  "C:\Users\Admin\AppData\Local\Temp\NODKeygen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1784
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1120
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2696
- C:\Users\Admin\AppData\Local\Temp\codec.exe
  "C:\Users\Admin\AppData\Local\Temp\codec.exe"
  2⤵
  - Boot or Logon Autostart Execution: Print Processors
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a70a3866539babd6d5bde4719f36ebcc

SHA1
11d74c6e892cce29c6b91d2f5de09adbb8f8afde

SHA256
043ef39a056ff45d785a15de090c9c509bf446242298597354ac07ad412ef8f1

SHA512
32436235f544e35849ff229754e027791e42961f2f49a5ed4c73a65d2071fc75482ea44ee5072813e44859675be60d9815bae05afc6b5af516f063aa3763a151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc7b1daaf40cec2324865e7d0226f69b

SHA1
bbb3ec0325a3bb8f37bea57cc51084f0203fc8a1

SHA256
69ab900b7c3deba07d6d688ecfc7e42ae82314db366fc0e7255079fe3d0a7669

SHA512
a46f85e2d01ef1cd9b39fc97430b7fd7506aaa97a39c8a7bd5019dfeaf312997c7fd9d5900f3949a171b2aff609aeedba5964183ab6914251c8af9c46d0f712c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be29f7be9d4f692a9efb544bf6441d6b

SHA1
b8f67cb817281e6ab085b5c97f59274770d22bb9

SHA256
33cf388f89ccf0cce74279dcc2705e88349bf8aae867420cb061dc1cc0c1969b

SHA512
bdadfb3ebc9433d8c104a810f0e55f7ee5ecd04e5f45297c6b1ae1c5e4bc08bef8f8f24dc32274db8bf40ca811af05ee982039c52d75c429219fac71af77f81f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef0ccb377fa4ea3381d8aecd17443a95

SHA1
8a4d96b2e01379173b778c6fec34bd147a8b8595

SHA256
f9b4dea04b79711a08be20fa20b18cf7224694208845d7a2b7a77e35a178e76a

SHA512
61ab02378bcdd3aa2e179ca0949437757e72cd58417e1a8bc9b4856d8a129d513a67638293ac28d40ff1f95ecd6677ec38c0add3a3bfd823dd85ae6920b7d79d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43eb7a41f78965ceb3ad24af35f50604

SHA1
d25f3c2bfd7058ee4f172afcf541905bb9283585

SHA256
c69fff2b6c8a0384708ddf42fcfcd47b916cefd767f60163f0dd8647fee29bb7

SHA512
be62fc66eed59b1d55ae5738bc7dc8edcaddc23df30a8307a70ee75eae1e5e893ae78d02d88bb66ee76a91d6c926f2e086da50f84390f129b7b489d3afcba121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60c5a279e5044437ee4a07a526ae2ca3

SHA1
0ba8044188c8573b6a85fd107ade0899b392bdd5

SHA256
a6d3df20ed470d2aa9e10128a5453ae14a928722214c1fe939aa7620cd7926a0

SHA512
7c3cd30d3a669683b07004247ce9d2a7359c480699cdaa9d3e711d0b6f7d96d47e00e394d3021df2b07ad31b2ba49f8cfcb5b55a5cbc7def18cf41889e42535f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0f837ec86aa364ce4caa440b0c75395

SHA1
352d5884c3a8ed73964b7fe6227a590b9e3ffb57

SHA256
5e66efc5c78008b4a54c57740d83d1a6b8e5157c5bccce33379aea0449e504e9

SHA512
7c73d65117419a63487290f4bb4a1ccaed82c73b7819905c8eeb536aefcd268326745910fb93c464ab776b15a371dc1a1cb4152f9cc8f2daa90a828433823b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a98ea0ae55cb14fe3829936e44c9562

SHA1
3a811826f9bf30ca9ea0ff1e3a6ca6cddba3f963

SHA256
f2b2a6a0dcaf357525d2a8b39ffa6cea6eae565123dbf656f63091e01ebb51f7

SHA512
85dec84ee517494148f1763b52b687fd475216766342fc10a91b2052e27f3da9632f857169fd0f61e5a58e20c8633ad2f6273c5e42c644650a8640e7b278bb7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29771c2a57593e8f8eb1cb6f618e65a6

SHA1
924ebea7790a7fe251cd97ec871540d0e49899de

SHA256
a08449256a9a76dca16f9f694e9d9f9d5589ca0f646e1497bcc44fd155d71ae2

SHA512
1c14a89b571c195ea266ff1c3eee30320067adae869e3b61dacaef6f81f27a01726990af13b98b7a7655e65751e53acb50247452230665c6c4d9f88da2863023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
670bfd0a6ecf8d3fcc7907cb7a144c84

SHA1
ed35f6b0dd702104b5d06e49e3d834213ba720f1

SHA256
8b1fdba7e80f1e56d54c712a1f3c56bb356d3307d3c52284f9a30d0bcd3360ca

SHA512
16f97c2e62db44064a107a767fc8a2b4d84fcb1e309781c884d6428f1542feaca05716423c5b0137c2724f9f05500466f0cd629b06cd14eb1a5ba81c2d1e006f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ec9b23381b176df42139129795f78ad

SHA1
767dde49be018374475bd541d0ca20c0b24aa25c

SHA256
0d4dde7dd349ceab4a799400a08d4e1ac2f7fdd57e2206ae878896b5c510a32f

SHA512
93ff44c271418bf0604c09d32762a4849064de29c89b3cc1fefd0829757c99a4cfc2256b1755241b6ad36e4e51658ea5bfc815f6f9c9cb73930439dbab2a9715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4372ad6a356eba21cff87c61852cf2b

SHA1
4791d6fd9358d98d07fdb7734bff2c0b719e4634

SHA256
6252fedd0ea2d40fb873385333782058ad3f4623e042e466e796dbafa30c4831

SHA512
e093cff9073877466ddd88c914d247bc6aa75221b29b9fd99ab1063eba2a8930c71c7662d273b0ee91846f5ea46cb3bdfc84a4302f448413bdc814ea068b4cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cd8348631f82f22323c74ef5b8084a2

SHA1
5060b9e6db3a555cdf8e923b2057810d7f31dd46

SHA256
58f2a1ad37a27c3bbf0e72b0ccaa1855c5db89e8122f1ddc4c4ab5c1ad5d7126

SHA512
e45619da25e12356749ad4b884b4769ae86c94d39500ef30eaa74ac5c146ad7524d3744ede0dde7ccf3beb9e018d29b7f7066f9ae230af0419b5f57c9a8ede96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e04a1dba0aef9f61b28c9b0616bf13c

SHA1
60b73ae2a9f1f262f32792ef572e816be07f44cd

SHA256
aad9a0ce120015015ed79f0e4a2525fe300c3905605f2e5ef019a6b51ed5f5d8

SHA512
9f622329b56b41104ea85ab63d439bd8370ae4788ab23d1a5088961538229228cdbd25aeac993cd099ea19353c28a892d154d2ea480a82060710c1e20e510cb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d1ca90d70f2510ff6ecb2a2b83a2e8f

SHA1
9592ea7cb0285a0eb58da085613dc9434f9ff25a

SHA256
776af0879368e4f2c78507485b0691aa99ae2e50d551809a8dd8aefad1ec01b0

SHA512
b83973b3c2a2abc66c545692d2143a3ce9ea09ff9fbfe968209fdd92d3d53c69398791d15a48863ebedc8b34d2b4f1220e7ce4fa1810c4605cd4f3c4316ab6a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9c5b24561f4967a11a85145b2f7c16d

SHA1
86d17e7a9bd132c717a608ed37dee6bade6a45e3

SHA256
1219eda29db3f009a16d4f9387d54e514f83088732ff487ffa117aaea940b32a

SHA512
8f9924e2d82b3921c1bea9d2c3969a7c7f410291bbba7db8e093271ddede47ff30712737913083b5a3bb4b13e4eda219677b3079cb7db24cdcd6befcdf0456cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
040bb5b8aca4f462e0aa60fb60c40b4a

SHA1
00519f2f53a4e49b7f79838476ac6d1aabc562ec

SHA256
26a0200a4467df9ebe8de21a01bb55a34c5921864da64844e07f3f93f4740436

SHA512
552d59648ca3d3a3d994a7ab7af1fbe14d275b9c070637eae079bf298cd0797d6e19addc5a00e19732d0254dae69719c3e4a7aaa29f636c8420ef7754b6757c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
038d34e0319603559ae4e9b7c4204f07

SHA1
1796c9aac9331efbf665ebabef52879c20b25a5e

SHA256
ff022b6d56af31202fe73f7ff1ac2dad9a0b5588a7dc1ceb2fdc67f4d1f88a87

SHA512
36b28088c240611391f3c3f4ab7c3b41785111501f5c7a680ef75ba1184c2065f87e4b025d2c3f4ebac298f1b02dad2879a7bc9b09f2636830fe3a267a039aa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55ae67a91208449f77404d7fc6cf3e03

SHA1
60284fad70a67070a365f361c8e8be79678da03d

SHA256
a05f041bdbc973e341b6c082e07d4f73b4ffbf54c8f8459975ce8b4c711d5640

SHA512
ea59366a6d68ba1b61b702e03d8367b1c2f91b3473756ba380ec552917df9e6b9b08e7539fa6c1e984754ae77cc84aafd70f0a3d4fc3d155e91e8c84e44eec5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDBB21D1-822D-11EF-AD2E-6E295C7D81A3}.dat

Filesize
3KB

MD5
bb6230969b2955001d97e6077c9e1c62

SHA1
ccbb3b792038f5de7c276285713459fafd2418f7

SHA256
6da9c169dcd63815e3b514fcdf19d1b80bd47fe0a199a3f362c53359a9f0a01a

SHA512
956272b835bf84abf7a061204fb969364a04f810bcc3b15810c1b17b08f31fd36145c51078a2580695fdb4b75c3c0c1cf394006201e34580ed5b2977cbd9b2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDBB48E1-822D-11EF-AD2E-6E295C7D81A3}.dat

Filesize
3KB

MD5
070674a0805eb93c77adf427f92811d9

SHA1
6a46fa95fc7ec57d0aeb690f37278dc76ff0d820

SHA256
1c9bd2606a5a73e2f50b82dfc5a589fbc6da58b70337d5e2002c20a059ba0863

SHA512
c1b3fe84a1ffbf86ff8829d2431fdee118520729fcc0fa87568ed24c8b80af04c70e92533273bd95a7af273f4edb33d855bdffa553e0c0c5324019916c4c2fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDBB48E1-822D-11EF-AD2E-6E295C7D81A3}.dat

Filesize
3KB

MD5
b8b707005a6f476ddcb21dc120ab03fc

SHA1
c0da960211cbdaa3530f6c618f0dca8afb8406a1

SHA256
29c9d149683070825f18c38770db259481d6016db9d562db9c66718a7dc0a983

SHA512
94026277ae2a114fdb03843c262652adb0ddf8704bb4f80ea950208005122045442fbd4afa6100ce4c8df49c40a001e9fabde08cac9bd142144fc21ead6d04f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF71E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NODKeygen.exe

Filesize
486KB

MD5
a44286f286f9c8f435f0e4563666153d

SHA1
03d721dd42ba313abf42be5a6c64c163a821a294

SHA256
c0258988fcabc2a3df778a71dbbdcbd45eb0b0da3701167b275d7e14b7250e44

SHA512
5f9df337dd72d5988a7d5adea21b10b267402db3367dbf6a00f475fd5197f2e36204c04ffc8d93b883430ddf1d7f5c526e6635edf11519a0043252d5f8a507cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF7BD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe

Filesize
63KB

MD5
ef85a8eda94d282d9e3c0f31f0fef956

SHA1
a2a5732d8750cbb1cec43b7ed528d25456107b7c

SHA256
7e1327dc7caf542c59e490555202c0aba8bd508d5a0a70e2808e577fe361dc85

SHA512
4fa5883f10ff0865213bb0bc1a58aa11f489586d81af36cbabfd88ecda297784d317becba933b4f9b30d9717766748e74a040802674a33e26f2ab33b7edf8a4c

Download Submit
memory/2640-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2872-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3032-32-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads