Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 18:32
Behavioral task
behavioral1
Sample
039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
Resource
win7-20240903-en
General
-
Target
039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
-
Size
1.8MB
-
MD5
06c3b75deae102144ec995312d6d208a
-
SHA1
9d7386202e4012460553e792beaa4c1820cf7d17
-
SHA256
039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2
-
SHA512
75c6b6c541d078e6374f0212929b20a57b0c9e6772f002dfb3d6eb86f7611bec36b115b3932d8b826c06e0183c77f5980ffe0dcbe7067f4208d91dd8aa3ada0f
-
SSDEEP
49152:SiDHNvsmt3qmLC26/59I+HV7CjfM6ZAMZnWMsKoIyW5hbh9CQEEOUwnZvAks:/HZ/Cd5u+HVh
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 7 IoCs
pid Process 216 elevation_service.exe 4192 elevation_service.exe 2220 maintenanceservice.exe 768 OSE.EXE 2900 ssh-agent.exe 4668 AgentService.exe 3704 wbengine.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1045960512-3948844814-3059691613-1000 OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1045960512-3948844814-3059691613-1000\EnableNotifications = "0" OSE.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: OSE.EXE File opened (read-only) \??\R: OSE.EXE File opened (read-only) \??\X: OSE.EXE File opened (read-only) \??\M: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\L: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\P: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\Q: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\X: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\K: OSE.EXE File opened (read-only) \??\O: OSE.EXE File opened (read-only) \??\Q: OSE.EXE File opened (read-only) \??\J: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\Y: OSE.EXE File opened (read-only) \??\E: OSE.EXE File opened (read-only) \??\T: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\S: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\P: OSE.EXE File opened (read-only) \??\S: OSE.EXE File opened (read-only) \??\O: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\K: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\R: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\V: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\T: OSE.EXE File opened (read-only) \??\U: OSE.EXE File opened (read-only) \??\V: OSE.EXE File opened (read-only) \??\W: OSE.EXE File opened (read-only) \??\I: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\Z: OSE.EXE File opened (read-only) \??\H: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\Y: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\G: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\W: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\Z: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\H: OSE.EXE File opened (read-only) \??\L: OSE.EXE File opened (read-only) \??\U: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\N: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened (read-only) \??\G: OSE.EXE File opened (read-only) \??\I: OSE.EXE File opened (read-only) \??\J: OSE.EXE File opened (read-only) \??\N: OSE.EXE File opened (read-only) \??\E: 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe -
Drops file in System32 directory 58 IoCs
description ioc Process File opened for modification \??\c:\windows\system32\lsass.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\windows\system32\kncgggip.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\dllhost.exe OSE.EXE File opened for modification \??\c:\windows\system32\svchost.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\fbpfcnna.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\searchindexer.exe OSE.EXE File opened for modification \??\c:\windows\system32\searchindexer.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe OSE.EXE File opened for modification \??\c:\windows\system32\fxssvc.exe OSE.EXE File opened for modification \??\c:\windows\system32\tieringengineservice.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe OSE.EXE File opened for modification \??\c:\windows\system32\snmptrap.exe OSE.EXE File opened for modification \??\c:\windows\system32\vssvc.exe OSE.EXE File opened for modification \??\c:\windows\system32\fxssvc.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\windows\system32\johpdokj.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe OSE.EXE File opened for modification \??\c:\windows\system32\msiexec.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\vds.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\msiexec.exe OSE.EXE File created \??\c:\windows\system32\ihaeopcm.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\windows\system32\pqggonob.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\spectrum.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\windows\system32\annjnbng.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\alg.exe OSE.EXE File opened for modification \??\c:\windows\system32\Agentservice.exe OSE.EXE File opened for modification \??\c:\windows\system32\locator.exe OSE.EXE File opened for modification \??\c:\windows\system32\dllhost.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\windows\system32\openssh\idildldg.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\vssvc.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\lsass.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe OSE.EXE File opened for modification \??\c:\windows\system32\Appvclient.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\Agentservice.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\msdtc.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\windows\system32\ejdkbhbk.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe OSE.EXE File opened for modification \??\c:\windows\system32\alg.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\windows\system32\hkjijcol.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\svchost.exe OSE.EXE File opened for modification \??\c:\windows\system32\Appvclient.exe OSE.EXE File opened for modification \??\c:\windows\system32\msdtc.exe OSE.EXE File opened for modification \??\c:\windows\system32\sgrmbroker.exe OSE.EXE File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\locator.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\wbengine.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\heckcflk.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\spectrum.exe OSE.EXE File opened for modification \??\c:\windows\system32\vds.exe OSE.EXE File opened for modification \??\c:\windows\system32\sgrmbroker.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\system32\snmptrap.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe -
Drops file in Program Files directory 37 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\program files (x86)\mozilla maintenance service\eahgdkdf.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\program files\windows media player\jaamoheh.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp OSE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe OSE.EXE File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created \??\c:\program files\google\chrome\Application\123.0.6312.123\gbecfhgi.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created C:\Program Files\7-Zip\pijiegfa.tmp OSE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe OSE.EXE File created C:\Program Files\Common Files\microsoft shared\ClickToRun\nklemblo.tmp OSE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe OSE.EXE File created C:\Program Files\Common Files\microsoft shared\ClickToRun\klonohhl.tmp OSE.EXE File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\joolfkle.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe OSE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OSE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe OSE.EXE File created C:\Program Files\Common Files\microsoft shared\ClickToRun\dklkkafp.tmp OSE.EXE File created C:\Program Files\7-Zip\ncjookla.tmp OSE.EXE File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe OSE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe OSE.EXE File created C:\Program Files\Common Files\microsoft shared\ClickToRun\amhadgcp.tmp OSE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7z.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\Uninstall.exe OSE.EXE File created \??\c:\program files\common files\microsoft shared\source engine\apbqnmli.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File created C:\Program Files\Internet Explorer\gbdhmjec.tmp 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe OSE.EXE File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe OSE.EXE File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7zG.exe OSE.EXE File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe OSE.EXE File created C:\Program Files\7-Zip\afaqkaok.tmp OSE.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe OSE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe Token: SeTakeOwnershipPrivilege 2072 039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe Token: SeAssignPrimaryTokenPrivilege 4668 AgentService.exe Token: SeBackupPrivilege 3704 wbengine.exe Token: SeRestorePrivilege 3704 wbengine.exe Token: SeSecurityPrivilege 3704 wbengine.exe Token: SeTakeOwnershipPrivilege 768 OSE.EXE -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" OSE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe"C:\Users\Admin\AppData\Local\Temp\039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe"1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:216
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4192
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2220
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:768
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2900
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD51d4688d73b16c0041d5376ae240dd972
SHA1b374969fd3bd61354bd3845b3b205dde27bdb5bb
SHA2569f9112661f4cd620e16d4d2a6545221aa5792bbc492b2098266d941984a353ae
SHA5124902170a544f584f16a7bf88b5da33b51fc1ba7d56b40c873f3e6c75fa4e0232cfb2279e0570d4bac708141b7379ac5485617291a5af066aedf5d448466eb844
-
Filesize
777KB
MD56252bb04a39f50284dd7e1c2d5bebc71
SHA1778ec13248e7d8f87fc885105f5f9b69210f94d8
SHA256f5e5343c14eaba8e4f73b3b6655fe4219ff971276f4df9b59b17aabf27c88d4d
SHA512b153a09c22c97d65246fe50a40816276a2721310f75b14c45d934bedef8fa2002df940e5f05d8279245cf6fb42e66335d715390eaac4d7e6c678468330e7c3a8
-
Filesize
1.1MB
MD5817307629f1f9bbbacb441166fe3a345
SHA170b97e1375c53c31654b0650f4fd0973358b360e
SHA256481dc73e342aa7381cbfd2a58f058c47d7be6cb546bf500e00ca120d708477fa
SHA512e7fcb15e9cda3a67721c5d7676b7e555c901d651f5a50094ded465086f7cdf5d521a4b0b61539676f957a291534a0f55f3a3b50d7f509d5a63608436a0d33f0e
-
Filesize
797KB
MD56609b284eefc1c910aad19e181aaec34
SHA14f93bc747cee6e35428fd5ae88e34e19d796caef
SHA25641332cb4128389e17e0d4433118e36a04ab7f76dfda4c05e8e1eaac700c1ec92
SHA512cf43119296dc692f3dfef16d08e544311b4c635093b1ad2006e535afc789543dc9e51baa2faaf5dbb78c62abd7d0f7880007b8480e52c506bd01b5aafdc2a510
-
Filesize
2.1MB
MD5082053faed2bb4488cd2b1819f04b591
SHA1ef514348de89924fb338ae91176b2c9d563d17e8
SHA256b3a942f49b7bcf920f16160782f0775b2de596d30aceaba7349f467d7d4ae156
SHA51253fa7865e235e8166b45171b9ea264ed261d8fca1a0be9c10b279668bdadbe4457c3ebd0dd1d407bf2553651526f6952ab0abb77c2343db66c03a343c87113d0
-
Filesize
1.7MB
MD563dc9c26522e7a1d920885a03b9a55ed
SHA13594400e58ccafbf04c15e9d2725f176f026ab56
SHA2568cc5d34b4352f3da785526e2698b184406ad25d0332180c84b3f3c95a76c876b
SHA5120285a0fa690dbaff1d4b7b78393a75533061fd0ebb07d7c9c304136bee60472882a68e5ece19db99881bbea84d447bbee37253e8c2d86b6a7d9ae1f547450cb4
-
Filesize
928KB
MD5a839c15a41b3cc4215fdba51986faef2
SHA1e7ffa88142b696c6c64b7a9e85a5d6e660c6f624
SHA256058508b31eafb01fadebc84914386fe07a6a0565645952d2a5736ce3bd4dba77
SHA51270bff52cf53b2013cc3131bd9ff4826470ce80a6211cf837e66bc71b4450cd6d13c3cceed9cbf30b0388b2533ee1438e2df23bb1e616d274e4d4ab7a3b96db8c
-
Filesize
1.3MB
MD5ef9446122ead4e623e3df799d533f21b
SHA110426e7e0534e8ef73cca36156db92c45f6cd729
SHA25634edb7007d23256ccaaf2c8d095d64b230257eeb8460e61aacd2294f71cc1f6f
SHA512ec2957c3e8abc432d0e402c98e8627554e8346f07903a9465c2de5dc94d2b9da9e008cf5133b905ef54241744e777876e3dfc5e86bea8596f114dacb41bf813b
-
Filesize
2.1MB
MD5a2b319aa4d7952d3faecba0344e17c25
SHA104d7850dc97fa7db655b5e525f1f109572c1eaf1
SHA256050cffb8b7236cfab561929c029c0751537bc8ac4428650803267c65de03c095
SHA512ce7c2d7773bbb4cefe59bc88c1da497092ee41505ceb4bc72b0cd5469543c58c7f1a99af8883892064599230294c3835906048cffb2be77ce2802849af50b2a0
-
Filesize
1.5MB
MD5e67efd4573a66c2645d43749e7895e1a
SHA1594356b9d7ed741ba395b787716c2f014a473f87
SHA25694e430bd4597201517465980bc3ef73df0a49cc9f94e2cb576fd2cc5ac278483
SHA5122c19a307738a121ee781bd9d23ebb02a36c09e26bad46bd4fa65c61c7ea1bacff40133bb8cdb7b7712a9306eda0cd76890faa644e4dfe48865efeb2d16a5600d
-
Filesize
1.2MB
MD5db0182254467c11e3663fb34e2e2fc43
SHA1a2c1669fe9561b209b971e6dd833d06b4d55ec31
SHA256d6545fad504351691aaa83e4ef94b9c9c9e8686bf894e5ab57611062a99f236f
SHA51273120e80037f18c16fdd7f4b106aaf957136703e5badafe93bed9f27e9e1b2786e5cfceb139ebc608c20173a7a88b2d4f9389a489b3a301884e53a45ed67106b
-
Filesize
700KB
MD5348773c3727e2b94e336ec2a8cc1a02c
SHA19cf9a5ed764065b630717c809016ab82dc11bedb
SHA2562a678a1ef39a95a984493de5d0f938ab05872acfd436a22f7c8570ea4d87e505
SHA5122a77ef3e72df4db4fb10c4f9027d8deddbdc76c576404bdcf2846f826e39caa6ba2ea89be4a71a6534241ad9748735759f4b52ba82d0a683d390b4590a2adbee
-
Filesize
623KB
MD57926e8f1822713ee9019e07cc35198ef
SHA1ad07527bafa2f44523aeb69bebec5bafe82a55da
SHA256124e681e2f4b282cfc985425bf6b53dc1c65fa8d921e81caf2edd9786f0a01ac
SHA512cc546efbabfb4aaec9da2b8d43b686b9aebc8f3859626862d7d28d215ca8ae443e021366b9a0206068631c751386119703a1b63c0597a369dc8baa5f03bc9713
-
Filesize
572KB
MD58aa16914b0686525eb857bce18267557
SHA18717d134a1cbfd51807363e09ab2ef4dfaa304af
SHA256c1b66ce02bd858c3ef2aeaeb831e0b552b0258d6920bfdc0df8e6a45de8d2436
SHA512a8d701547c59b8972632de8cb0ca93c80538a95c4a8e95a95b2b04c0fd97f02d9d7562128af2742505fdf48a8401f2cfd20aba2e1e0bfd0f4da948f288160886