c862578f76c396997aec18d367b6f0ce81a6e15b6e50e27858e0f3dea7a98d95

Resubmissions

07/10/2024, 05:31

241007-f76bwasdpf 8

07/10/2024, 03:45

241007-ebh12axgna 8

07/10/2024, 03:41

241007-d88ghsxflg 8

07/10/2024, 03:38

241007-d7bfdstbkm 8

Analysis

max time kernel
149s
max time network
71s
platform
windows7_x64
resource
win7-20240729-ja
resource tags

arch:x64arch:x86image:win7-20240729-jalocale:ja-jpos:windows7-x64systemwindows
submitted
07/10/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vTHGfiwMDeoOH5a.exe
Size

785KB
MD5

3aa5992e9a518e4d1a7042a16b10e31d
SHA1

5bce77192abbf2a71a2b19d6b00f08685f569b64
SHA256

cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
SHA512

518b38137a320e3853e28496485c04c933b68ef34f4ef9b4da363711555ea70c11325d4e05d761d5a4aaa199e684e0da084e0226f319cfe3a29dc00d120fed95
SSDEEP

24576:A0ixK9bqAGf89ojqUk6fT6xuBgptr6svn6v:9ixKp5NX6BBStr6svnu

Score

8^/10

discovery execution spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2116	mshta.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe
2216	powershell.exe
1552	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	mshta.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2992	2056	vTHGfiwMDeoOH5a.exe	32
PID 2992 set thread context of 2748	2992	vTHGfiwMDeoOH5a.exe	33
PID 2992 set thread context of 2116	2992	vTHGfiwMDeoOH5a.exe	34
PID 2116 set thread context of 1232	2116	mshta.exe	21
PID 1568 set thread context of 1776	1568	vTHGfiwMDeoOH5a.exe	44
PID 2020 set thread context of 2528	2020	vTHGfiwMDeoOH5a.exe	47

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vTHGfiwMDeoOH5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vTHGfiwMDeoOH5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vTHGfiwMDeoOH5a.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mshta.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\2 = 4c003100000000004759c61d10204c6f63616c00380008000400efbefd58b58d4759c61d2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\2\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "6"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\2\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\2\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4c00310000000000fd584598100041646d696e00380008000400efbefd58b58dfd5845982a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "5"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 5600310000000000fd582f8f10204c6f63616c4c6f7700003e0008000400efbefd58b58dfd582f8f2a000000320200000000020000000000000000000000000000004c006f00630061006c004c006f007700000018000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1202"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\2\0\NodeSlot = "10"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2964	powershell.exe
2992	vTHGfiwMDeoOH5a.exe
2992	vTHGfiwMDeoOH5a.exe
2992	vTHGfiwMDeoOH5a.exe
2992	vTHGfiwMDeoOH5a.exe
2992	vTHGfiwMDeoOH5a.exe
2992	vTHGfiwMDeoOH5a.exe
2992	vTHGfiwMDeoOH5a.exe
2992	vTHGfiwMDeoOH5a.exe
2116	mshta.exe
2116	mshta.exe
2116	mshta.exe
2116	mshta.exe
2116	mshta.exe
2216	powershell.exe
1776	vTHGfiwMDeoOH5a.exe
1776	vTHGfiwMDeoOH5a.exe
1776	vTHGfiwMDeoOH5a.exe
1552	powershell.exe
2528	vTHGfiwMDeoOH5a.exe
2528	vTHGfiwMDeoOH5a.exe
2528	vTHGfiwMDeoOH5a.exe
1776	vTHGfiwMDeoOH5a.exe
1776	vTHGfiwMDeoOH5a.exe
2528	vTHGfiwMDeoOH5a.exe
2528	vTHGfiwMDeoOH5a.exe
1776	vTHGfiwMDeoOH5a.exe
1776	vTHGfiwMDeoOH5a.exe
2528	vTHGfiwMDeoOH5a.exe
2528	vTHGfiwMDeoOH5a.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2748	mmc.exe
1232	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2992	vTHGfiwMDeoOH5a.exe
2748	mmc.exe
2748	mmc.exe
2116	mshta.exe
2116	mshta.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	powershell.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe
Token: SeIncBasePriorityPrivilege	2748	mmc.exe
Token: 33	2748	mmc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2748	mmc.exe
2748	mmc.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2964	2056	vTHGfiwMDeoOH5a.exe	30
PID 2056 wrote to memory of 2964	2056	vTHGfiwMDeoOH5a.exe	30
PID 2056 wrote to memory of 2964	2056	vTHGfiwMDeoOH5a.exe	30
PID 2056 wrote to memory of 2964	2056	vTHGfiwMDeoOH5a.exe	30
PID 2056 wrote to memory of 2992	2056	vTHGfiwMDeoOH5a.exe	32
PID 2056 wrote to memory of 2992	2056	vTHGfiwMDeoOH5a.exe	32
PID 2056 wrote to memory of 2992	2056	vTHGfiwMDeoOH5a.exe	32
PID 2056 wrote to memory of 2992	2056	vTHGfiwMDeoOH5a.exe	32
PID 2056 wrote to memory of 2992	2056	vTHGfiwMDeoOH5a.exe	32
PID 2056 wrote to memory of 2992	2056	vTHGfiwMDeoOH5a.exe	32
PID 2056 wrote to memory of 2992	2056	vTHGfiwMDeoOH5a.exe	32
PID 2748 wrote to memory of 2116	2748	mmc.exe	34
PID 2748 wrote to memory of 2116	2748	mmc.exe	34
PID 2748 wrote to memory of 2116	2748	mmc.exe	34
PID 2748 wrote to memory of 2116	2748	mmc.exe	34
PID 1232 wrote to memory of 1568	1232	Explorer.EXE	40
PID 1232 wrote to memory of 1568	1232	Explorer.EXE	40
PID 1232 wrote to memory of 1568	1232	Explorer.EXE	40
PID 1232 wrote to memory of 1568	1232	Explorer.EXE	40
PID 1232 wrote to memory of 2020	1232	Explorer.EXE	41
PID 1232 wrote to memory of 2020	1232	Explorer.EXE	41
PID 1232 wrote to memory of 2020	1232	Explorer.EXE	41
PID 1232 wrote to memory of 2020	1232	Explorer.EXE	41
PID 1568 wrote to memory of 2216	1568	vTHGfiwMDeoOH5a.exe	42
PID 1568 wrote to memory of 2216	1568	vTHGfiwMDeoOH5a.exe	42
PID 1568 wrote to memory of 2216	1568	vTHGfiwMDeoOH5a.exe	42
PID 1568 wrote to memory of 2216	1568	vTHGfiwMDeoOH5a.exe	42
PID 1568 wrote to memory of 1776	1568	vTHGfiwMDeoOH5a.exe	44
PID 1568 wrote to memory of 1776	1568	vTHGfiwMDeoOH5a.exe	44
PID 1568 wrote to memory of 1776	1568	vTHGfiwMDeoOH5a.exe	44
PID 1568 wrote to memory of 1776	1568	vTHGfiwMDeoOH5a.exe	44
PID 1568 wrote to memory of 1776	1568	vTHGfiwMDeoOH5a.exe	44
PID 1568 wrote to memory of 1776	1568	vTHGfiwMDeoOH5a.exe	44
PID 1568 wrote to memory of 1776	1568	vTHGfiwMDeoOH5a.exe	44
PID 2020 wrote to memory of 1552	2020	vTHGfiwMDeoOH5a.exe	45
PID 2020 wrote to memory of 1552	2020	vTHGfiwMDeoOH5a.exe	45
PID 2020 wrote to memory of 1552	2020	vTHGfiwMDeoOH5a.exe	45
PID 2020 wrote to memory of 1552	2020	vTHGfiwMDeoOH5a.exe	45
PID 2020 wrote to memory of 2528	2020	vTHGfiwMDeoOH5a.exe	47
PID 2020 wrote to memory of 2528	2020	vTHGfiwMDeoOH5a.exe	47
PID 2020 wrote to memory of 2528	2020	vTHGfiwMDeoOH5a.exe	47
PID 2020 wrote to memory of 2528	2020	vTHGfiwMDeoOH5a.exe	47
PID 2020 wrote to memory of 2528	2020	vTHGfiwMDeoOH5a.exe	47
PID 2020 wrote to memory of 2528	2020	vTHGfiwMDeoOH5a.exe	47
PID 2020 wrote to memory of 2528	2020	vTHGfiwMDeoOH5a.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
  "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
    "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2992
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" C:\Windows\system32\taskschd.msc
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2116
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
  "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
    "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1776
- C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
  "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
    "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0dbd1hu.zip

Filesize
438KB

MD5
9ec4d0fe38cb4de94d578bfd72c8eebd

SHA1
e316282a617c5f0c40c488de79c73cf13c8baaf2

SHA256
2402c65692d0a822d7931489d1bbf29fa9bfbf210819c1614dd8d2350e747f2f

SHA512
a3d1ff3c516cf2c6548e03d68eeaff530acc794e1f76253d46b092183bd762c1126160dd611e0d3ceec5d0664d946e5d154b8dc88b1bccf606b57cfd59a31201

Download Submit
C:\Users\Admin\AppData\Local\Temp\1863I7301

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.def

Filesize
5KB

MD5
cd9b704b328573406d319f6e22e043be

SHA1
fb88536357cf2a7db522684887affd85ab5747da

SHA256
8274a340b59d469c27eb238a7984d250287c7820556a9e2693e8f1ecd907936a

SHA512
869ac4a65380ec36254de7309d84d5c98d4b280e71bdcc389f4689bc140ef86ea0eb3e736cb7e906417e40eba79c33dd712cf67099ae26ffeecff78130e2ca29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9e2111efd6b1b933bf1b9c1211bf8545

SHA1
6590f4e3ab461838f99ea2438809d07a7641e6da

SHA256
7bc33a190d4f6a6a1560afaf5130422399eda0fa6b6ca086012a6e6e81a37720

SHA512
6c23e2bca284854ab50f8a07dccf29cb84f46438765c45e501bd659c5ab22d3d0e0649d83ee41e760e35032fa8cf381f815a908424b2371d5f259cdd3bfe74bb

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
837KB

MD5
e1b58e0aa1b377a1d0e940660ad1ace1

SHA1
5afc7291b26855b1252b26381ebc85ed3cca218f

SHA256
1b98c006231d38524e2278a474c49274fe42e0bb1a31bcfda02e6e32f559b777

SHA512
9ce778bcb586638662b090910c4ceab3b64e16dfaf905a7581c1d349fecdf186995b3cc0dc8c6fc6e9761ea2831d7b14ac1619c2bd5ebc6d18015842e5d94aa2

Download Submit
memory/1232-31-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/1232-32-0x000000000D310000-0x000000000D3E2000-memory.dmp

Filesize
840KB

Download
memory/1568-77-0x0000000000B00000-0x0000000000BCA000-memory.dmp

Filesize
808KB

Download
memory/1776-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-5-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-3-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/2056-6-0x0000000005100000-0x000000000518E000-memory.dmp

Filesize
568KB

Download
memory/2056-16-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-1-0x0000000000DB0000-0x0000000000E7A000-memory.dmp

Filesize
808KB

Download
memory/2056-2-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-7-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-4-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2056-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2116-67-0x0000000006A90000-0x0000000006B4E000-memory.dmp

Filesize
760KB

Download
memory/2116-71-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2116-72-0x0000000006A90000-0x0000000006B4E000-memory.dmp

Filesize
760KB

Download
memory/2116-27-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2116-30-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2748-24-0x000000001D640000-0x000000001D7E8000-memory.dmp

Filesize
1.7MB

Download
memory/2748-25-0x0000000002E90000-0x0000000002E98000-memory.dmp

Filesize
32KB

Download
memory/2748-23-0x000000001D2F0000-0x000000001D636000-memory.dmp

Filesize
3.3MB

Download
memory/2748-22-0x0000000002820000-0x000000000282E000-memory.dmp

Filesize
56KB

Download
memory/2748-21-0x0000000002F20000-0x0000000002F78000-memory.dmp

Filesize
352KB

Download
memory/2748-20-0x00000000024F0000-0x000000000250E000-memory.dmp

Filesize
120KB

Download
memory/2992-29-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2992-26-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2992-19-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2992-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-8-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2992-10-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2992-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download