8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
Size

3.7MB
MD5

bf3563405a32f8b97fc315896270dff0
SHA1

96d268a515392022545142b879a1a1612d2b5278
SHA256

8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6
SHA512

3f590eaf6b630eda761997f128c10ce72fbf86bdd5ed77e3b99c63e499b6ae4916818b38cc8958146f38ae9e365338309182f91a9d8c6a8332cdc76c3697dab1
SSDEEP

49152:g/O6/G/I0vxB5NQNO5xrHUu5q7ixruTjWo0U7CUZ+ctb9BFPiKK/ykxYF/OpoCwk:g/O6/G/IixB5+OI48SPx

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1148	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dism.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\getmac.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\systeminfo.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\odbcad32.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\pcaui.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\wusa.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\F12\IEChooser.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\schtasks.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\setx.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\mavinject.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\runonce.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\InputSwitchToastHandler.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\certreq.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\isoburn.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIADAP.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\stordiag.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\nslookup.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\fontdrvhost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismHost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\ndadmin.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\TSTheme.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\ieUnatt.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SysWOW64\mmgaserver.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.0.19041.1_none_4e5e653d48e95632\iexpress.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\aspnetca.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.746_none_ff52abd5cb47bbe1\lpremove.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\n\SenseSC.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-wlan-extension_31bf3856ad364e35_10.0.19041.1_none_ba28e703f717d172\wlanext.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx-vb_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_00d7ad6537414f31\vbc.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorQuickStart.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-csp_31bf3856ad364e35_10.0.19041.844_none_c606f47e6aa94b5b\hvsievaluator.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.1_none_b19798c3028c2929\LockAppHost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.173_none_f837263e7fdd508f\f\sppsvc.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\ssh-agent.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_220320d2c4216035\TiWorker.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\sysmon.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.1_none_a541e711f3b2a478\mobsync.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx-ldr64_exe_31bf3856ad364e35_10.0.19041.1_none_538a6445ed07333b\Ldr64.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-servicemodelreg_exe_b03f5f7f11d50a3a_4.0.15805.0_none_cd052606b14fabac\ServiceModelReg.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\hvsimgr.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-sctasks_31bf3856ad364e35_10.0.19041.906_none_72b8b02e4865ebca\schtasks.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_6331d348ae4a8fa9\TiFileFetcher.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\SenseCncProxy.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_10.0.19041.1_none_efd4c696d660bdad\vbc.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-mscorsvw_exe_b03f5f7f11d50a3a_4.0.15805.0_none_c4e6302d398f7e04\mscorsvw.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1_none_0d3d1dcf5184d281\appidpolicyconverter.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1_none_5d1b02917c107c75\autoconv.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mapi-mmga_31bf3856ad364e35_10.0.19041.746_none_be98bb8265bc211a\mmgaserver.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\svchost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-fontview_31bf3856ad364e35_10.0.19041.1_none_04a9c5158a354e7a\fontview.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.1_none_76011176d90c065b\svchost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\hvsirpcd.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\SenseIR.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.662_none_e341f52007f6d1a8\wecutil.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\vmcompute.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.264_none_13222f28beaa00a7\r\vmwp.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_wpf-presentationhostexe_31bf3856ad364e35_10.0.19041.1_none_25e540d4bf7b64b4\PresentationHost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.1_none_866e293cdb38481a\SndVol.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.19041.1_none_e51212a36c631d23\CasPol.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-vssservice_31bf3856ad364e35_10.0.19041.1_none_10bddbfab734fa42\VSSVC.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.546_none_380485edeba9f4c4\SgrmBroker.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-bootconfig_31bf3856ad364e35_10.0.19041.1_none_cc5c34dfee065cea\bootcfg.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-driververifier_31bf3856ad364e35_10.0.19041.1_none_7ab192ed7079aec0\verifiergui.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.264_none_39eaf2470cfe88f0\explorer.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-getmac_31bf3856ad364e35_10.0.19041.1_none_cc444e9075b95adf\getmac.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\x86_wpf-presentationhostexe_31bf3856ad364e35_10.0.19041.1_none_c9c6a551071df37e\PresentationHost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\OOBENetworkConnectionFlow.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_wcf-smsvchost_b03f5f7f11d50a3a_10.0.19200.110_none_11b0c321be81025e\SMSvcHost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.1_none_e2f75fda217d5015\hvc.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_1f721a9c9befed5e\SyncHost.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-help-client_31bf3856ad364e35_10.0.19041.1151_none_e0e8a531e34051a9\HelpPane.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.1266_none_e2f3aaf24de135ec\Magnify.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\smartscreen.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\unsecapp.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx-ngen_exe_b03f5f7f11d50a3a_10.0.19041.1_none_f0f8491ec727a0ee\ngen.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_de343fb4f9af2b0a\tasklist.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\UpdateNotificationMgr.exe	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 1148	3460	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe	84
PID 3460 wrote to memory of 1148	3460	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe	84
PID 3460 wrote to memory of 1148	3460	8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe	84

C:\Users\Admin\AppData\Local\Temp\8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
"C:\Users\Admin\AppData\Local\Temp\8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\tmp8432\8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
  C:\Users\Admin\AppData\Local\Temp\tmp8432\8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
674KB

MD5
0e52a8215012052d9c633778de5fdf27

SHA1
0abb5785385c3d584faf56c2e099d5d77fd5bb27

SHA256
b49e53cb15c09a2e2eab42f830e62e7314a06138222c441c7d0a3e1dec577b89

SHA512
e1c3f9153adb6d8d80fa9bbe88cb6d0b3acb76a648831ec12d5bda8b4dd99082bb0b10a02428548358850755d74d476b77cebe3657023f785bd1705d42eaaa2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8432\8af91aea81f38caf2d413ae700c50bd9b6b5ed2e05d27da3cb77ddf0e2393de6N.exe

Filesize
3.7MB

MD5
21c57937b5920dc68eb86051426422de

SHA1
926312c45991b3f4cf7a61f5e7dd77cbee985469

SHA256
0c045e633b70990f2ed932138bdcc2301a540c3ca86cd616b75d3d5a2c4b03b9

SHA512
b8bd00b9a61bfdc140b8891857476d69fd370fcc02310f0bb6e01a35c752852af89b5b8dcfd860cff5518122136fd1f03d60839c8895da35fd7a057db6f54713

Download Submit
memory/3460-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3460-67-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3460-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads