ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
Size

1.8MB
MD5

9c6825ea57e1367501078ffc44524ca6
SHA1

c7a534b2c9890a2326bfb49525c05cf82d1dc2e8
SHA256

ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94
SHA512

2b75fcf16eec0cef29e31c43cc445a097bdba5c3c2e9cb2343640164185824abb684c216fcfe6009b2e2793b4afca6e7eab0575b04d8852529781157eb653d66
SSDEEP

24576:OsIV0SK7E5Yy4rxUMhWpOlZAb6utlJVdeeWIguOL+4nDS2bJ7FQvx7p6PGRihyU/:mRxV49USWz6ZfjL+4lV7A6IqJao

Score

8^/10

credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
3952	elevation_service.exe
1556	elevation_service.exe
1932	maintenanceservice.exe
3428	OSE.EXE
5048	ssh-agent.exe
548	AgentService.exe
1396	TrustedInstaller.exe
1980	wbengine.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	OSE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\K:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\N:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\O:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\W:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\H:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\M:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\P:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\V:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\Y:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\E:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\S:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\U:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\G:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\T:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\L:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\X:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\I:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\J:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\Q:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\R:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\Z:	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE

Drops file in System32 directory 58 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\enoiibla.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\alg.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\msdtc.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	OSE.EXE
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pbgnbkbm.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\fxssvc.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	\??\c:\windows\system32\hqiglgfj.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\spectrum.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fldjibbb.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\dllhost.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\locator.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\Agentservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\svchost.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	\??\c:\windows\system32\emkmeglk.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	\??\c:\windows\system32\modbmfma.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	\??\c:\windows\system32\openssh\kkcdephh.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	OSE.EXE
File created	\??\c:\windows\system32\mjejbleh.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	\??\c:\windows\system32\agobljij.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\Appvclient.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	\??\c:\windows\system32\lanfmjlf.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\vds.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	OSE.EXE

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\mozilla maintenance service\abcmhfok.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	C:\Program Files\7-Zip\ncjookla.tmp	OSE.EXE
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	C:\Program Files\Internet Explorer\obgadqok.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7z.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	OSE.EXE
File created	C:\Program Files\7-Zip\pijiegfa.tmp	OSE.EXE
File created	C:\Program Files\7-Zip\afaqkaok.tmp	OSE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	OSE.EXE
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\jmccchad.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nklemblo.tmp	OSE.EXE
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	OSE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\dklkkafp.tmp	OSE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\klonohhl.tmp	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	OSE.EXE
File created	\??\c:\program files\common files\microsoft shared\source engine\pekbhflp.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	\??\c:\program files\windows media player\foejjahm.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	OSE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\amhadgcp.tmp	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\nfkccafb.tmp	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	OSE.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
Token: SeTakeOwnershipPrivilege	5104	ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
Token: SeAssignPrimaryTokenPrivilege	548	AgentService.exe
Token: SeBackupPrivilege	1980	wbengine.exe
Token: SeRestorePrivilege	1980	wbengine.exe
Token: SeSecurityPrivilege	1980	wbengine.exe
Token: SeTakeOwnershipPrivilege	3428	OSE.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe
"C:\Users\Admin\AppData\Local\Temp\ede5d7fc55e5129f5d6327c1a0edd4209ad377233e715a2fd221aa15e98b5e94.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1932

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3428

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1396

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fbce5b201017c29f22304e79050dddc1

SHA1
00566ddbdbb96651d20db3c9547ae3dbc6267466

SHA256
85f67a6ed4d3f9f6cf02472163c78448ac61a409f5757b5bd40b0311e48f54f7

SHA512
a41fd8acc52d6e94e17c0b7eb5a0c435b38602ae84647d4167164592501806b44df7788710b8678ab68a78cc6f6ca42bfdba973f0d5f1ac193d5979dec7d3cad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
777KB

MD5
6d2e57fb00dbcd6e37b91b1c01d02a6c

SHA1
4aa6598320b1703c3d1410572ce6d49882b3069f

SHA256
8941237ce0899c94231f41a142128e72894a2d12e83622c6a78db17e806e9913

SHA512
a67a7d3ab702b9f337ae8a6d120e68ef39ceb5b005df1c32d689f4ccf1aaaa1053e68b60f44d93c2aa79856733ef4cacec2ebf80288e5f80f387044157006827

Download Submit
C:\Program Files\7-Zip\ncjookla.tmp

Filesize
1.1MB

MD5
559550efc32e0f2725235b3c3441ad63

SHA1
c6249014ab9321a33f31f3523d9b0a1e03d377ca

SHA256
f0f047b9caa57929d2c8ebbd93235a7139c0c425d5e82a280a49d3a519bd1c3a

SHA512
086c38a5bb8f8c1aef8f950af74670f3003098967bba9be2463d4891d17f73eb8f190641bcb17a6682b01fb90fb5c2b59ff5c80b0d39add43748e9524aeecc8d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
797KB

MD5
b622b8c0ef081d00470c72e24fe27e90

SHA1
31348c92bd52042596b6fac0d7f1ac3d8bf901ef

SHA256
54f521dcc84bf453b784c7d73b05f52b8d89d42d553aa0982638b645899b9ccd

SHA512
e2bdf20029b7c9f400568bd3da7de9a02ca62ef4b788528679435c27caaad41aa9f01f4e00bb039022834f6f125a808f39062e2b0c657ce4ca23829001547a46

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
7bbdf6539073a2eda5b0b983c511b7ec

SHA1
bdfad1032b654269cc6bb808d2b571a8dbe97d4a

SHA256
24cb1f89e64ae7bdd2cebd07be693823495c17bc5fd2b771974d5e23601613b2

SHA512
28ba4d9355b9505588b32e1c62e259da0db100338b11a10772a4e2097ed58d92ed2b64db203d4b5166ff8e80e68117b73c5d6459fc82ba5686145679a60a358f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
494350f3d3f634ca0a2aa6f70183b945

SHA1
4bd47bb9da8fd543868a57a923538727e08c70ee

SHA256
b6b8f0c4f8b04eb7ff7d0660a37cafd59a2b051deacce8c68e417642d4ec804d

SHA512
a3d4d2479d4b54847f9fe6df24987515cba41a9352d8b970766c6f71f0a15a62352d60194c23bfd433d7160242394eb0b3a3a8ca0efeddd072fd748d21c93e5e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
928KB

MD5
4b14c6e0345d9129f0c54ede48bdcce4

SHA1
eee559e6934e0c45c5c0dcdb1eb9b4909650b1c4

SHA256
318fd217ecfa0b7b92cbb772e68c884975bed5acdff4a878b20cfc09646b8b3b

SHA512
853f646adf50492d787c59d924929c491d4b8c48480646f9261c8ffb2528423a3803a8f59f45893c81b33411fbcb7e1c0186e60974b6966c391770b1613a0108

Download Submit
C:\Windows\System32\mjejbleh.tmp

Filesize
1.3MB

MD5
95e0564a89f21178f84704791f29dab4

SHA1
1431bb04a80253ccb96c8be7a60e1d37f8e33d4f

SHA256
7fdd4529a737e9de8f429fbf07c0fd463a8b139db97bb0fbe56984adf029e3cb

SHA512
6f9b669430de8f95f65a334ac6ae8aaf1649a9467f91dc2a17ca9ce18432ee1ebfccee37fac7a4a41874c9a08ecdf03e39cccfd741a3ce2c037047c0f33cf29c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e48a670fb1f58e4692f3534a8660e0c1

SHA1
ae02db358ad8cf302e44ce52caa4949b1ade3376

SHA256
e18bf0afbdb12e66d3ba2881e06621bbb9819e542ae82de1d35185a08bde02b4

SHA512
46c5e773b661eefcfdfcc264fc4fa517354d91ba243d7d7c962d2b235359feb1826313555389fc4c50f2f339a6b1301d7776362299f0f2fb4980bb41732b52f3

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
14dbb845e3a5bf053814994d1e4708d0

SHA1
b0f8fd234294aefb6eaa931f67afe6f5786c2b92

SHA256
1cb5e25a4250ba702f3d0db534c3f76ea3caa6feb4b19ebbf77715b41e6ec90a

SHA512
94c0c9c03e7c5f2bcf433c0ff341959efd096509183ecac876e889331d5823ab7838ed156d2c2fb3128037082c1215c4110b6178cf960c888cbf2b7499242735

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
90c1ab02aecaf69fa3032b61fab1a8e7

SHA1
3093738ee35805a2c3392d73ffea0f2f2ab3f413

SHA256
1bf4268fac9aadd703d7179e1dd28cb88add685b63484248b35f00771c5e4013

SHA512
9b654c17b9c1d612bfcf64ef5b0ee7b73c8115aa530ff29c66e627ef979476482e9d973b3f5575b712e010df1aa77bca65c0d661c4075dee1d70388ce740127a

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
a127b2010dd55b22d197de3e25c0e148

SHA1
8ecc2ed2d037d7740a376e1867cad3478d60d46b

SHA256
9c45584a12987dfe0ea5228efebdc4348efc5e890b8708d1b8aef1b2e0c8b752

SHA512
f25e288ea06c4efcace74c895a97172c3aaca9e7624c34ecd47f7732e19d7e4f88398bcddfacf73a5724e86803611ea5f1de9d13e7d1ab5028c4ec89447e536c

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
e03ba6e25f61bba2eb1476027f624aa3

SHA1
25a0b6300da39772f999fd84fdd3ac06abf037e8

SHA256
acf7c2825719848d5f5417b1c986a02dc84aa566d3b6e281dfc5290d1e97b929

SHA512
46187d733ecdf52c2111c11c240f4206fe7c4621cc0771fbc5dbbc726df8a93b52e4eb05eae1341f8e7c519fd7f8f1223103a1841008e5da1abcd666d827d358

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
fba9a78dfd82f1a05368c790ace8a163

SHA1
3e5579d2d561f551949469ac5104ebe4af773707

SHA256
b3163e98ba1e827c601b72d2bf3ff2e285cc4668b2829ea8dee5ae8250abb5bc

SHA512
5e693d9c5ad20c93ea314a6abb51357239a934b61d184768c696a89f31f57b9fd18ae6f20ff098fee775ea530c4ac11a8366da14d9cd48b211135a1fc3141781

Download Submit
memory/548-102-0x0000000140000000-0x0000000140319000-memory.dmp

Filesize
3.1MB

Download
memory/548-95-0x0000000140000000-0x0000000140319000-memory.dmp

Filesize
3.1MB

Download
memory/1556-49-0x0000000140000000-0x0000000140385000-memory.dmp

Filesize
3.5MB

Download
memory/1556-50-0x0000000140000000-0x0000000140385000-memory.dmp

Filesize
3.5MB

Download
memory/1932-57-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/1932-58-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/1980-152-0x0000000140000000-0x000000014036F000-memory.dmp

Filesize
3.4MB

Download
memory/1980-104-0x0000000140000000-0x000000014036F000-memory.dmp

Filesize
3.4MB

Download
memory/3428-140-0x0000000140000000-0x0000000140229000-memory.dmp

Filesize
2.2MB

Download
memory/3428-75-0x0000000140000000-0x0000000140229000-memory.dmp

Filesize
2.2MB

Download
memory/3952-40-0x0000000140000000-0x000000014038E000-memory.dmp

Filesize
3.6MB

Download
memory/3952-41-0x0000000140000000-0x000000014038E000-memory.dmp

Filesize
3.6MB

Download
memory/5048-141-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/5048-88-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/5104-3-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-0-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-48-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-139-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-21-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-6-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-5-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-4-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-39-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-2-0x0000000002D50000-0x0000000002D98000-memory.dmp

Filesize
288KB

Download
memory/5104-10-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-11-0x0000000140000000-0x0000000140329000-memory.dmp

Filesize
3.2MB

Download
memory/5104-1-0x0000000140033000-0x0000000140034000-memory.dmp

Filesize
4KB

Download