Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
Resource
win7-20241010-en
General
-
Target
63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
-
Size
7.0MB
-
MD5
80fc186d5e0d36d61aa30e7806847b37
-
SHA1
dbfb171d5774306ff5437bdf11405c2d09771b76
-
SHA256
63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219
-
SHA512
6e9f7077de1da76e05dff833bd6d8f7558441df91db9bddbe339afad4271a76745618337631ef76b22ba47e81f55c8bfb7e1a941a5aa314043286edbef83e622
-
SSDEEP
196608:2KXbeO7G9Ghf7Ejo+xyvsLD26vhn2IGJ3:b7GEhio0yI265GJ3
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3676-14-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3676-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3676-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/896-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/896-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/896-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/896-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4612-45-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3116-371-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/files/0x000d000000023b95-416.dat purplefox_rootkit behavioral2/memory/3664-383-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000d000000023b85-5.dat family_gh0strat behavioral2/memory/3676-14-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3676-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3676-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/896-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/896-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/896-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/896-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4612-45-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3116-371-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3664-383-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe File opened for modification C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240611859.txt" R.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240611781.txt" R.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240613734.txt" R.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation IK_Multimedia_Keygen.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation S.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 29 IoCs
pid Process 1984 R.exe 3676 N.exe 896 TXPlatfor.exe 2668 HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 4612 TXPlatfor.exe 2548 IK_Multimedia_Keygen.exe 3244 S.exe 4448 ._cache_IK_Multimedia_Keygen.exe 664 ._cache_S.exe 4984 R.exe 3288 Synaptics.exe 1104 R.exe 2424 N.exe 2428 TXPlatfor.exe 1424 N.exe 3000 TXPlatfor.exe 1920 HD_._cache_IK_Multimedia_Keygen.exe 4580 keygen.exe 3116 HD_._cache_S.exe 3664 sainbox.exe 4080 sainbox.exe 1512 ._cache_Synaptics.exe 4388 R.exe 4172 N.exe 1616 TXPlatfor.exe 3872 TXPlatfor.exe 3836 HD_._cache_Synaptics.exe 4184 keygen.exe 4980 Remote Data.exe -
Loads dropped DLL 10 IoCs
pid Process 1984 R.exe 4984 R.exe 1104 R.exe 4976 svchost.exe 4580 keygen.exe 4580 keygen.exe 4388 R.exe 4184 keygen.exe 4184 keygen.exe 4980 Remote Data.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" IK_Multimedia_Keygen.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\Z: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\R: sainbox.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\sainbox.exe HD_._cache_S.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe HD_._cache_S.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe File created C:\Windows\SysWOW64\240611781.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe File created C:\Windows\SysWOW64\240607750.txt R.exe File created C:\Windows\SysWOW64\240611859.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\240613734.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe -
resource yara_rule behavioral2/memory/3676-14-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3676-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3676-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3676-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/896-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/896-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/files/0x000f000000023b8a-30.dat upx behavioral2/memory/896-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2668-31-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/896-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/896-21-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-45-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2668-67-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4892 1984 WerFault.exe 84 1368 1984 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_S.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IK_Multimedia_Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_._cache_IK_Multimedia_Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remote Data.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_IK_Multimedia_Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_._cache_S.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatfor.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4180 PING.EXE 4316 PING.EXE 3476 cmd.exe 4580 PING.EXE 4980 PING.EXE 3924 cmd.exe 1664 cmd.exe 2976 cmd.exe -
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x000c000000023b93-50.dat nsis_installer_2 behavioral2/files/0x000e000000023b97-72.dat nsis_installer_2 behavioral2/files/0x000a000000023ba2-351.dat nsis_installer_1 behavioral2/files/0x000a000000023ba2-351.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie sainbox.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software sainbox.exe -
Modifies registry class 34 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 keygen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ IK_Multimedia_Keygen.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 keygen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ S.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags keygen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU keygen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 keygen.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 keygen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" keygen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ keygen.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ keygen.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 4980 PING.EXE 4180 PING.EXE 4316 PING.EXE 4580 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4576 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 4448 ._cache_IK_Multimedia_Keygen.exe 4448 ._cache_IK_Multimedia_Keygen.exe 664 ._cache_S.exe 664 ._cache_S.exe 1512 ._cache_Synaptics.exe 1512 ._cache_Synaptics.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe 4080 sainbox.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 4612 TXPlatfor.exe 4080 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3676 N.exe Token: SeLoadDriverPrivilege 4612 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 2424 N.exe Token: 33 1028 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1028 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3116 HD_._cache_S.exe Token: SeLoadDriverPrivilege 4080 sainbox.exe Token: SeIncBasePriorityPrivilege 4172 N.exe Token: 33 4612 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 4612 TXPlatfor.exe Token: 33 4080 sainbox.exe Token: SeIncBasePriorityPrivilege 4080 sainbox.exe Token: 33 4612 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 4612 TXPlatfor.exe Token: 33 4080 sainbox.exe Token: SeIncBasePriorityPrivilege 4080 sainbox.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 4448 ._cache_IK_Multimedia_Keygen.exe 4448 ._cache_IK_Multimedia_Keygen.exe 664 ._cache_S.exe 664 ._cache_S.exe 1512 ._cache_Synaptics.exe 1512 ._cache_Synaptics.exe 4576 EXCEL.EXE 4576 EXCEL.EXE 4184 keygen.exe 4580 keygen.exe 4576 EXCEL.EXE 4576 EXCEL.EXE 4576 EXCEL.EXE 4576 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1984 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 84 PID 2080 wrote to memory of 1984 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 84 PID 2080 wrote to memory of 1984 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 84 PID 2080 wrote to memory of 3676 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 93 PID 2080 wrote to memory of 3676 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 93 PID 2080 wrote to memory of 3676 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 93 PID 3676 wrote to memory of 3476 3676 N.exe 96 PID 3676 wrote to memory of 3476 3676 N.exe 96 PID 3676 wrote to memory of 3476 3676 N.exe 96 PID 2080 wrote to memory of 2668 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 97 PID 2080 wrote to memory of 2668 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 97 PID 2080 wrote to memory of 2668 2080 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 97 PID 896 wrote to memory of 4612 896 TXPlatfor.exe 98 PID 896 wrote to memory of 4612 896 TXPlatfor.exe 98 PID 896 wrote to memory of 4612 896 TXPlatfor.exe 98 PID 3476 wrote to memory of 4580 3476 cmd.exe 119 PID 3476 wrote to memory of 4580 3476 cmd.exe 119 PID 3476 wrote to memory of 4580 3476 cmd.exe 119 PID 2668 wrote to memory of 2548 2668 HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 101 PID 2668 wrote to memory of 2548 2668 HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 101 PID 2668 wrote to memory of 2548 2668 HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 101 PID 2668 wrote to memory of 3244 2668 HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 102 PID 2668 wrote to memory of 3244 2668 HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 102 PID 2668 wrote to memory of 3244 2668 HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe 102 PID 2548 wrote to memory of 4448 2548 IK_Multimedia_Keygen.exe 103 PID 2548 wrote to memory of 4448 2548 IK_Multimedia_Keygen.exe 103 PID 2548 wrote to memory of 4448 2548 IK_Multimedia_Keygen.exe 103 PID 3244 wrote to memory of 664 3244 S.exe 104 PID 3244 wrote to memory of 664 3244 S.exe 104 PID 3244 wrote to memory of 664 3244 S.exe 104 PID 4448 wrote to memory of 4984 4448 ._cache_IK_Multimedia_Keygen.exe 105 PID 4448 wrote to memory of 4984 4448 ._cache_IK_Multimedia_Keygen.exe 105 PID 4448 wrote to memory of 4984 4448 ._cache_IK_Multimedia_Keygen.exe 105 PID 2548 wrote to memory of 3288 2548 IK_Multimedia_Keygen.exe 106 PID 2548 wrote to memory of 3288 2548 IK_Multimedia_Keygen.exe 106 PID 2548 wrote to memory of 3288 2548 IK_Multimedia_Keygen.exe 106 PID 664 wrote to memory of 1104 664 ._cache_S.exe 107 PID 664 wrote to memory of 1104 664 ._cache_S.exe 107 PID 664 wrote to memory of 1104 664 ._cache_S.exe 107 PID 4448 wrote to memory of 2424 4448 ._cache_IK_Multimedia_Keygen.exe 110 PID 4448 wrote to memory of 2424 4448 ._cache_IK_Multimedia_Keygen.exe 110 PID 4448 wrote to memory of 2424 4448 ._cache_IK_Multimedia_Keygen.exe 110 PID 664 wrote to memory of 1424 664 ._cache_S.exe 109 PID 664 wrote to memory of 1424 664 ._cache_S.exe 109 PID 664 wrote to memory of 1424 664 ._cache_S.exe 109 PID 2424 wrote to memory of 3924 2424 N.exe 112 PID 2424 wrote to memory of 3924 2424 N.exe 112 PID 2424 wrote to memory of 3924 2424 N.exe 112 PID 2428 wrote to memory of 3000 2428 TXPlatfor.exe 113 PID 2428 wrote to memory of 3000 2428 TXPlatfor.exe 113 PID 2428 wrote to memory of 3000 2428 TXPlatfor.exe 113 PID 3924 wrote to memory of 4980 3924 cmd.exe 140 PID 3924 wrote to memory of 4980 3924 cmd.exe 140 PID 3924 wrote to memory of 4980 3924 cmd.exe 140 PID 4448 wrote to memory of 1920 4448 ._cache_IK_Multimedia_Keygen.exe 118 PID 4448 wrote to memory of 1920 4448 ._cache_IK_Multimedia_Keygen.exe 118 PID 4448 wrote to memory of 1920 4448 ._cache_IK_Multimedia_Keygen.exe 118 PID 1920 wrote to memory of 4580 1920 HD_._cache_IK_Multimedia_Keygen.exe 119 PID 1920 wrote to memory of 4580 1920 HD_._cache_IK_Multimedia_Keygen.exe 119 PID 1920 wrote to memory of 4580 1920 HD_._cache_IK_Multimedia_Keygen.exe 119 PID 664 wrote to memory of 3116 664 ._cache_S.exe 121 PID 664 wrote to memory of 3116 664 ._cache_S.exe 121 PID 664 wrote to memory of 3116 664 ._cache_S.exe 121 PID 3116 wrote to memory of 2976 3116 HD_._cache_S.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe"C:\Users\Admin\AppData\Local\Temp\63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 4483⤵
- Program crash
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 3883⤵
- Program crash
PID:1368
-
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4580
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exeC:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\Temp\IK_Multimedia_Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Temp\IK_Multimedia_Keygen.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\._cache_IK_Multimedia_Keygen.exe"C:\Users\Admin\AppData\Local\Temp\._cache_IK_Multimedia_Keygen.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe5⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_._cache_IK_Multimedia_Keygen.exeC:\Users\Admin\AppData\Local\Temp\HD_._cache_IK_Multimedia_Keygen.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\keygen.exeC:\Users\Admin\AppData\Local\Temp\keygen.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4580
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe6⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1664 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4180
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exeC:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\keygen.exeC:\Users\Admin\AppData\Local\Temp\keygen.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4184
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp\S.exe"C:\Users\Admin\AppData\Local\Temp\Temp\S.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\._cache_S.exe"C:\Users\Admin\AppData\Local\Temp\._cache_S.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe5⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1104
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe5⤵
- Executes dropped EXE
PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\HD_._cache_S.exeC:\Users\Admin\AppData\Local\Temp\HD_._cache_S.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\HD__CA~2.EXE > nul6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2976 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4316
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1984 -ip 19841⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1984 -ip 19841⤵PID:1892
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240611781.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x4d81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4576
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Executes dropped EXE
PID:3872
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD59a3c61df86c424daee504806bb14b49d
SHA1831cae7baccb88bcc041a43f8a2539b029cc7604
SHA256d38bccf5f566c87affa25ac6db124e9f26735b42a7ef531b4555a1ed5d9e5688
SHA512af87fa1246005a515f1405a508db87b59e5c50ccc03a4baf22cbb38c3c1e735c12d5d6f45a356e3025406426da4f3342aeeef5596813d78993e9c213df900627
-
Filesize
3.8MB
MD5cf523a51798ea37faf7c3e08e9bcc3ba
SHA189ad48c34eb3567c164c76b9b77166c4646837fd
SHA25696bb7d7cfb7d64b6b057ed724c60bc26b95a74d10793c5aa3a93bd016463e7ca
SHA512e32858df3c3fe8dde1a371235d3d42112f65bd2ce42b83b367c3e01e690fcd2d2866aad5e922244b2687601fb0a71cb49bce9c9dbe2cafbc26f85fe5289860ed
-
Filesize
33KB
MD5e4ec57e8508c5c4040383ebe6d367928
SHA1b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06
SHA2568ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f
SHA51277d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822
-
Filesize
22KB
MD5ddc122e37538ddb39f4fd4976bc9def2
SHA1909d5eb0f9cbe68986aba92c243959a1e7370eb3
SHA2568e5c52e152ef1fa851e018982cb4f64fb91688f53ed777a5a3143d7b0722ab01
SHA51238911977a89448addbf7829d9aa6e17be071c1e4108448ef194a52f510b159281f252f1b738b5295526b7aadefe9a339a620dbfb5a7dc27f4ac7f76ed3de130d
-
Filesize
547KB
MD513e77ef36e4a1d4ef4195c0f6f5101af
SHA15e19192dc762b496b68d85ed63a53b0bc10bdf96
SHA256ba8c443e35e4d3d77b617959636d8f5e268788e8d954db4b83713e6f90709559
SHA5128967cf035d79f1d319c5cf39dad66650e888221f786f312c96e2afd9247da7c6894d3d21682638cdc9dda40d5646244f54f787f63b2abe7aa94d5c0008c0c2ce
-
Filesize
1.3MB
MD57fecb2665333ecf24969b5e0219122dd
SHA1a99a230924690bc838230cdf466a9db6ce529568
SHA256ebb1fbe882a201461c9a3556813e1d62c85efc5e064c708049aa14fb2310f5dc
SHA51206e2375c52ac9079a0e95da0ca27ee0c70de197ce42af86fbe7cfbba28b9d4e503dbc07bf26640695a893ae7747707b97fec766bd2911ecf988a49702c29f135
-
C:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
Filesize4.4MB
MD5e714b9df7d623016aa19ea43ad488a02
SHA16bceb16c3125f82054d55c37b969f12ad31e8170
SHA25667625ece2bda081b8b918a24148c4344e168801351e7fde79487565d0342cb84
SHA512bff4a3e129f9749bd9eaecfc17ce4ed2e122baf405aff1960897e33f2b00b50cfa221dd214c923c598f9d7926fa380b9ef7b9644e4ae3ddca74229d42bbadb6a
-
Filesize
2.6MB
MD5e5d12d9bbd73b479612758f61dc8899d
SHA14a8ac777f4e8ec19f47d936d253412a1d07f13dd
SHA256321d61f4896d22057d407a425488ed8cd587a7c0a8652d397c9d3f196c1e23cd
SHA51282a802cab448274645309bf633fd30371a559ebad7dfa6eb3d4fc9b889514d79c88408ba88e01d3e5454d847c1bab161870f251df23795fc3156effc91294e4a
-
Filesize
2.6MB
MD5e4f19a6659d30ed6786bfaa09960745a
SHA107bdc6547282935ce0854df40715eda0a7534d4d
SHA25680e91b73eb3c600c0a628cc77b84b0ed8ff2b0583be7bf3f5b1ee2de57136817
SHA512df1eccba764aa0de6c64bce94c8b4c816aa489a46c8eb6a48ceb29c9834bfb1873e6d68d22fd19dd0414fffed461324e6abf7987c8d35901cb4890325780b0b2
-
Filesize
2.6MB
MD5dba980e5e11128b1a9e64c5bdff31ed3
SHA1199a1b39f54c24fa349c50de5856dfd7986e3a83
SHA256e77c2c396c3e462093dbf27d800cc53efdff8d90142b39039cb868162f5a2326
SHA5127ae39d12c24331a65f570eaa4db2ce005e214e99507fc96ae5b26c1d6622c2aa0c4ea59472fec6f2fba3ec1f949448bd29d94f4db5e725a5a83c4a726d312777
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
79KB
MD5511e942e713956682c1ea73f33a63542
SHA1a6fdada3858cda2608937c668590be3d51869c39
SHA2567f8124c4b402bcdb0a0628447079cafda7755ec17397616b5ce510a98a4f3f07
SHA512b5dc43deff1bc153eb2850b9854db1bc02c34128a75ddec0a1f617d472a0ad5851e940a59fb9a511f9def18c50f0a9c29843b0ca66c5b23b413f407d0b0db429
-
Filesize
3.9MB
MD5d88f282137d036dcb87ef1dd77fdd1e9
SHA1d40dc44af20a1be2fc580c9f2ab7b0d0fd5208e5
SHA256f4792d51698b4cca7032ef76aafe0c26dd2a1e8f50203de9b227ededc9575476
SHA512969f256dcbcd8d7ffa1a778d3ca279490cae19072cd158e573bd5d38708f2e63b6760a2a07c4c49d19c2b864a28865985122b170499be87e42b6eb3014301499
-
Filesize
4.6MB
MD58963e3c3c5117e505c33a83eaede97c9
SHA148e8c67ccbb3c29350fd3638980a07f4080232c1
SHA2565b10c85d67bce30052060eca7dc492d14bd0e3cdcafc1feb49222698a61515b1
SHA5129c67b55428118117adf1e6e7694a12d871f0ddffb211c3992354f52a707af9c4e85bb55fa92b2a89a38bebec8db846b8677b7d6842d308b9ff586dbb02e53f15
-
Filesize
53KB
MD5a30878984af33ee69ace5cf8e330b974
SHA1916e9098ad80f3e79502adac42820b1ffbae1eb6
SHA256498eadc5b3d65aaf34b8496954c3362f033297c489d7ef4559cba8890c530171
SHA512f3ddaf6d3b4e12928efe5c167e8d010c858f19d4bf5a9698b4aabe21e53b5762ad667c81bd4e119083b6213bc96869056538dfc6fcdfc8147cfb1f1ea0c2162f
-
Filesize
676KB
MD5e7347f21d9f7ace4da3f8ec96a448b97
SHA126a8742221afa65a08caf93ee71723fbde7aa661
SHA256a0948635cc81f38e5ed40a378a39c889f3e787118f9e85a51dfeef4b8bb7e3e7
SHA5126fe7256a9e13a34434c5ffbff9720526afa17c4ea664189622caf03b721a33b1bccbeb46ca4c00d22b82e572763ff979eac4da7f72a654a7282f351c1dc4a6b7
-
Filesize
899KB
MD5195348bea799618dc843bbea6663eb85
SHA176e58b44e633bdb19afdae98963f139ddd336a06
SHA2565e59a187646759f626a4188445d70f56972c7a6c5ef468628a7ab1a3d4507b5f
SHA51206b8f754bc93453a4c0dc4fc725f3df91a448ca50d1143f809a3a4aa812ed8baf2644fdcfedfb30f40d21476f480561aac5c79db86c05a04f1bf3d552b335e52
-
Filesize
44B
MD56e317929ed9489c99d8dcaf8d8cb7b2b
SHA124afc0a78713dc8d3cbd24a87fe6908b8eb19cb9
SHA2565c83cbae6aec5f43b44ef3f75a510d4744e3625f47013f8656975b667427eb78
SHA512403838879d597bedb4e44c7f19eab22fea2abab11c2c6f631b0135769dc93a85928ccff596dd5305cc4ea644a567517fa851b3597973df7aeb279debe1d441c8
-
Filesize
76KB
MD54e34c068e764ad0ff0cb58bc4f143197
SHA11a392a469fc8c65d80055c1a7aaee27bf5ebe7c4
SHA2566cce28b275d5ec20992bb13790976caf434ab46ddbfd5cfd431d33424943122b
SHA512dcea6d76452b1ac9e3c1fed7463fe873b4dd4603ec67a4e204c27ba2c1ea79415508c3044223626f0ae499a9b7a3d6fb283f0978b5e20a58e959c9440376e98b