Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 05:22
Static task
static1
Behavioral task
behavioral1
Sample
e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe
Resource
win7-20240903-en
General
-
Target
e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe
-
Size
6.9MB
-
MD5
7782313610d52eefec33d75a5035806f
-
SHA1
a577a87906dc22cd92ca8a1c51fc28d1ec7d7637
-
SHA256
e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb
-
SHA512
463da44fd72660166a3c350afba8867419948d0e1f761ac9e76e2b4c9c4f25d1d2ae098766d3c70794fe74a618534992ed2b80f0a71707652bf9efea50eb9586
-
SSDEEP
98304:rIyVIyQWQtZ/K0tGOFWVRuLftCTzLapI9:tXQWyZ/K0ttYVAATzcI9
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 2 IoCs
pid Process 2752 UpdatAuto.exe 3000 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe -
Loads dropped DLL 13 IoCs
pid Process 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 2752 UpdatAuto.exe 2752 UpdatAuto.exe 2752 UpdatAuto.exe 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Option.bat e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Windows\SysWOW64\UpdatAuto.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Windows\SysWOW64\Option.bat UpdatAuto.exe File opened for modification C:\Windows\SysWOW64\UpdatAuto.exe UpdatAuto.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe UpdatAuto.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe UpdatAuto.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe UpdatAuto.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe UpdatAuto.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe UpdatAuto.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe UpdatAuto.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 112 sc.exe 1820 sc.exe 1728 sc.exe 1036 sc.exe 344 sc.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdatAuto.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 2752 UpdatAuto.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2920 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 31 PID 2796 wrote to memory of 2920 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 31 PID 2796 wrote to memory of 2920 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 31 PID 2796 wrote to memory of 2920 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 31 PID 2796 wrote to memory of 2920 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 31 PID 2796 wrote to memory of 2920 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 31 PID 2796 wrote to memory of 2920 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 31 PID 2796 wrote to memory of 2752 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 33 PID 2796 wrote to memory of 2752 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 33 PID 2796 wrote to memory of 2752 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 33 PID 2796 wrote to memory of 2752 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 33 PID 2796 wrote to memory of 2752 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 33 PID 2796 wrote to memory of 2752 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 33 PID 2796 wrote to memory of 2752 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 33 PID 2752 wrote to memory of 2604 2752 UpdatAuto.exe 34 PID 2752 wrote to memory of 2604 2752 UpdatAuto.exe 34 PID 2752 wrote to memory of 2604 2752 UpdatAuto.exe 34 PID 2752 wrote to memory of 2604 2752 UpdatAuto.exe 34 PID 2752 wrote to memory of 2604 2752 UpdatAuto.exe 34 PID 2752 wrote to memory of 2604 2752 UpdatAuto.exe 34 PID 2752 wrote to memory of 2604 2752 UpdatAuto.exe 34 PID 2796 wrote to memory of 3000 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 36 PID 2796 wrote to memory of 3000 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 36 PID 2796 wrote to memory of 3000 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 36 PID 2796 wrote to memory of 3000 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 36 PID 3000 wrote to memory of 1640 3000 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe 37 PID 3000 wrote to memory of 1640 3000 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe 37 PID 3000 wrote to memory of 1640 3000 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe 37 PID 2796 wrote to memory of 2972 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 38 PID 2796 wrote to memory of 2972 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 38 PID 2796 wrote to memory of 2972 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 38 PID 2796 wrote to memory of 2972 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 38 PID 2796 wrote to memory of 2972 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 38 PID 2796 wrote to memory of 2972 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 38 PID 2796 wrote to memory of 2972 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 38 PID 2796 wrote to memory of 2652 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 39 PID 2796 wrote to memory of 2652 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 39 PID 2796 wrote to memory of 2652 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 39 PID 2796 wrote to memory of 2652 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 39 PID 2796 wrote to memory of 2652 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 39 PID 2796 wrote to memory of 2652 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 39 PID 2796 wrote to memory of 2652 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 39 PID 2796 wrote to memory of 2196 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 40 PID 2796 wrote to memory of 2196 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 40 PID 2796 wrote to memory of 2196 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 40 PID 2796 wrote to memory of 2196 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 40 PID 2796 wrote to memory of 2196 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 40 PID 2796 wrote to memory of 2196 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 40 PID 2796 wrote to memory of 2196 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 40 PID 2796 wrote to memory of 2356 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 43 PID 2796 wrote to memory of 2356 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 43 PID 2796 wrote to memory of 2356 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 43 PID 2796 wrote to memory of 2356 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 43 PID 2796 wrote to memory of 2356 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 43 PID 2796 wrote to memory of 2356 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 43 PID 2796 wrote to memory of 2356 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 43 PID 2796 wrote to memory of 1340 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 44 PID 2796 wrote to memory of 1340 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 44 PID 2796 wrote to memory of 1340 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 44 PID 2796 wrote to memory of 1340 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 44 PID 2796 wrote to memory of 1340 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 44 PID 2796 wrote to memory of 1340 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 44 PID 2796 wrote to memory of 1340 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 44 PID 2796 wrote to memory of 1332 2796 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe"C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat2⤵
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Windows\SysWOW64\UpdatAuto.exeC:\Windows\system32\UpdatAuto.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat3⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exee163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3000 -s 1523⤵
- Loads dropped DLL
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop sharedaccess2⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\net.exenet stop sharedaccess3⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess4⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
PID:340 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
PID:2396
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop wscsvc2⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\net.exenet stop wscsvc3⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc4⤵
- System Location Discovery: System Language Discovery
PID:2248
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop srservice2⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\net.exenet stop srservice3⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice4⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net start TlntSvr2⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\net.exenet start TlntSvr3⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TlntSvr4⤵
- System Location Discovery: System Language Discovery
PID:1876
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user helpassistant 1234562⤵
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\net.exenet user helpassistant 1234563⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user helpassistant 1234564⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net localgroup administrators helpassistant /add2⤵
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\net.exenet localgroup administrators helpassistant /add3⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators helpassistant /add4⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
-
-
C:\Windows\SysWOW64\sc.exesc config srservice start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:112
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:344
-
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1036
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Windows\SysWOW64\sc.exesc config srservice start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1820
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD54c413e3b21898c286e1523a58b7d78b0
SHA1e27f2db280a7982adbbf7b6c7b206259efe6287e
SHA25665c79f2fe5f49ee89aab6514e8f10f77c60b3c6cbb93d747823fabcde5fee753
SHA5124e3f6584c191ae49a4704811165044c4f6ba00acc98b077ec619ed3e60c47a774b6eff455ec58edf174676927a5954f14922b9c0cbf54073d47b2174bcb6ce92
-
Filesize
6.3MB
MD587bcba5a8da612b971b56289eacb28d3
SHA1e1584dd349715ad8ba2c942839010b2d4c2f5a61
SHA256bacff00775b232d0dcafe690c8796473a8e1a4a05858e2faf35efea59f57325c
SHA51200a94693f909dc7347d98d19800c7e2ba50430840da07ad5ec2c1c7a665bd28d39193e4e761e7fee689e64ffb6d4cfc1402f70e3367fbd5c6040aeba9aa4ce79
-
Filesize
6.1MB
MD5d62e5dde55362fa2b9040d97f4b21617
SHA14b1c45c1d2d05155730c941601fee5933c2975dd
SHA256f6b963b22617c6367c952686878d825ba1849022efadb37b6d9414c6cfc70bdb
SHA51280294307d9255411c66e4ce0bea08b81b0c8aa84ea294440be363fdc823ff7debc55711b0393aab02ff32da2fa76410f88935b594b68dab80be4ee84acead3d8
-
Filesize
5.8MB
MD51ec6cef196a2cc5e53afe8128aeb6222
SHA1fe7d4d9c369f18f27af56dc7ae411ed3ae9719a6
SHA256768394fb22a3c284cb2bd912ddc4cab87f4d9348e04d34d7a65e113398d02389
SHA512beb8ce21c583c24547a8d051c2a1a9b502ac5cb5049e1ed18109cb69571b1bd6758b32d2e6e6fd6f8a865eb8e151e38ac8060ec07b3b871a7940d469f230a64f
-
Filesize
5.8MB
MD5075bae8555a46d146a068619afa89475
SHA1383758a12b560437d3463b88cf29ed26002e2e07
SHA256caeacad49ea8ff00c8cbe6132c1dec74132b475ef9e7548af0f0ecf3e9c11deb
SHA512c6ed575c430dbf42897e74821999eda99f063941fda0f5db5a9bba91ce44e0bbed1ef7173ffb3c4dccc6638918f107d88d9c20c8d830accd638ded11d2beea7a
-
Filesize
6.2MB
MD523be8ddc868a2377798ffe7de1b56a13
SHA11973f858b150bbd5603424b3ee226ee9d00816a9
SHA2567be5144a63c7eb896be6838d7cd5aeb1ed3a2776f65f68b36251fb684630d4fe
SHA5122ebbf60a4594a1533028d8afb8b96b958d932a50bc68b881cfd2609dac23dddb79452351fcee9bcfdf204ca877921549271b013b869264bf3b6be7f6be54670c
-
Filesize
6.0MB
MD59fd5b9cb0adc45ab38d170e9310296ef
SHA1c61a8ac00c1f840fb19c54a3914f42bd2c49c27d
SHA2565af29262f05990185ccc0e9d46699d6a7b248dce946057da392c793852d055ab
SHA5126e3505d2013d3b9198cb8b9e8086dd21e553e8a4dad31f246a88fb9f06a21a1c0f978f44b33fb2ee8a90afe1dcebbf2e14d6a10309345b3a4cfc414f5a37e5a5
-
Filesize
5.3MB
MD5c8a418ea7bb8e581ec3b3b704e391f6a
SHA14cc9f089d75de54d10d6ec2714b7c80ba1c9891a
SHA256c9798728c1ed0e072387a16faeb51c82b902d995c2e663b7d9d221c1bd85f01a
SHA512ad70fc1848b97458a032fcfef5da0b890c2dcdbff5582598bbaeb0182c6236b95596ba556821a9f053c2e6c21e5293f4ce35f8a21a2ab2ac77e368225bbdf197
-
Filesize
9.6MB
MD578f556b393481777246a15db34aa8d27
SHA17bf105c6d8d43203f7f7e060bf60446c835b63cd
SHA2567a864ca0e14126a2eb1bb67ea8b368cdecc2da8c0e7e523f7543ef075eaf385e
SHA5123786e4ddd0f68c6b875b9c08ad9c15e82d3601cef6f98bed6d94c12a9b8547453d884f71c2d89ffd37f54f2d0407504d12124e9f6a63919c1c379cff440d542a
-
Filesize
6.9MB
MD509d63f6304b612039e523a6ba103d114
SHA1eb7848729c139cf0df778cdfbdfa0319f34e9cff
SHA2560a7835ffb50407e2f6446a5fab58dc8336906afd0bbd7b8d0f55303f5a344b74
SHA5129d3dca9143bdd5787efe3ef4078bace776bde10578545db1abdb2890ea28688a0dda327343afc63c0af4045a1ce1a1e5470862aeb9450c2db6c4cd2d87ae3858
-
Filesize
6.9MB
MD51f1688e9f122140daccc50515366d328
SHA1f566185fae0f4ea80d7bb33ca1b020cf8bca086e
SHA256b1534fbe01547c61412045390079bb21add15a9fd98926d2bb5eb2cc1372c6c2
SHA5124f74aa9f58f95ae801f95b9a65f47ab76438fcdb326ffc685df96342cadc85b640febe8909e6a8494519fa85259ff51635dc1f827ab6cb461ec037f2f7f8fe0e
-
Filesize
6.5MB
MD538dd746f51be919372861025b0a120b4
SHA19bd6b1d1faffe764a64cff7b27fe3eca11eeddba
SHA256ee7cdb25d88fe649ef0ebfccda0bb406b92a48c20476611a220c4ece4dbe0170
SHA5121235ba827dc1fc065f43a06dc0f926ad98a65a664dfdf873a1b27889ff519cfced8fe2df653555d73a8c9dff405c2c0f82bc7a3fc17fb027b84a6205d81b6be5
-
Filesize
8.1MB
MD5f05d050f82032d0f994eadb2bd6e1e31
SHA12ed5acc6b469d5823363b68f231d6df19206fee3
SHA2569cd91b194b311d2bd8da6be3637704c6202e83ac521f7f84fda5e60d43f5be6e
SHA512b11c345d5bd4c33d5cc59e6e83f5f9efab289b36a61d6308187a0f3018f5ac981c38ad0f6369b435531538cebc6023da79fe3370b66fe829af0d0138d05ecb74
-
Filesize
6.3MB
MD5e48e8a5a7f8eedbc9797ea6a2805e1a1
SHA1cce28d6fcaec7e2136fdd5f75b05d184271db9f6
SHA25645e5f614881dcae4c8a5d7e82b163e7548d701c0a9b4fe3109303e1ffdcf8481
SHA512915ab8ccf1b7cee042c4019343bd38ab25b37da5ba69663a818301fbddcfccbc97a9450ec479a08d0395d9c8698dc5cf36ce992323c184bad20687e896ba09f1
-
Filesize
53B
MD51d04abf39e9df55eed1d04430cc21eb8
SHA1b8292861dfd4e046eb9625e1571cc08c26094d41
SHA2560bc485263cf8a962e64db0b88f156f2a9af1b81ecfdb1cf9111d497e85df70f3
SHA512a2cccc03dadecf6a298b274a6735675aeec1cc280f84432498e9df31aa4a543d2557a2fd06bac4fc8778a774b30bbd31f91c1d0d3ace480b6217654c8d63a7d0
-
Filesize
5.3MB
MD5b835cea5d0100a77d466f66774bcd561
SHA12b14e493947a239eeecbb657215d4de97d610975
SHA25630e568425d70e4daabdfe869fa23e5c1afcd973d5697b8456bdfc8a14b23c1fb
SHA512d6e0be7ad2037eebb4cf1836983384e6589c03fc95e00d5c430c3e1f99595ef474c4403db4557864a0ce0f4c391a4ea083f82abd2514c3c5ed4dfae5dab6520e
-
Filesize
5.3MB
MD5a44d848a6a230a19c1f7de013c27aac5
SHA1eeac29ced48b07eb22e14da6315d0802de3c15a8
SHA256b6b063266d5a981157cac9850c100293e384f78da21e895e2cc56a13b17cd0c6
SHA512087cdf15b087deb75a1990371dff4312d6d4bdc0c5f6cabf08c721c2d77148fb705e2cf8efafab196bcb0d8a66c9f243f487dfd5133ad82895582025ff8195a0
-
Filesize
5.3MB
MD5ba49ead4efa59142823318dd6cf15630
SHA1a9aca19c8713b653bbea2a3636bd7cc525b610a9
SHA256ee0224247a20d639124a3971598102b42adb480a7a3a4d411f3735d9439b9e69
SHA512e21194883952f7464ddc6a3a60b28d39d3847e8ea8a24f4a3eaa1cfda2e5e2fa77f3fef7d05dc4b13e747e2d522c482dddc45ca2dd0e094286be050b371784b7
-
Filesize
5.3MB
MD59054016f7639c4d31f001dd4efb74c32
SHA13c32843754d426740907ae3aee3d87e0ed820d71
SHA25614b822a3d3e15ad8d6e5724c9b892804a3033f234452bb427c63ba354e602157
SHA51246bd95e22720fb8ace602aeee98e0a2dc14bce80947c12a61cc4a945f8c3cd703837469b49403ca9f1bad15cda1ea45437264fba1ebe8e30eababafeec3f05b8
-
Filesize
5.3MB
MD50a98cb06c8752ba15965b76e6ec2932d
SHA1911d2d5db9c1c72d7e2eacaa43d1f1c11652a561
SHA256963d28b69affbb2c9880e3217e9ca72010be8002dbe7f1a3bda4121016f3f50e
SHA5123b9509fd3e81f22d2c5e1e7c68ad7fd2d2f0fb2049e2263bb14fb3cb8431eed06c4b49665b73b95817f6369fb278718de17de13422b0b8bead9ac77a569ac72e
-
Filesize
5.3MB
MD586cf0d50d0f2057e609edffafad2fe83
SHA16278efc66dfd2a1c470d184a78469782a4056b8e
SHA256dc60229c74a6f976f88d5d77f20ede4fe9a2739784d434b92b9855de39b78b2c
SHA5124c473206b13fb430bf87d97cad928bcc2616aec1f04091482186c4e3a0c6823b70460961650260bf7fbb3b1de87b543da1075869e583ca31da701883cd30a6f2
-
Filesize
5.3MB
MD52a684cad952811f2d23412c285db857b
SHA17c9f09a4e2b0833fa68c5e36497b6e09648779c9
SHA256e13e23f8dcc345df7aea2019911c57241be5ae4de478b1443b223f5a2289188a
SHA512d68fab1f9ed117ef8fb2b1a771955ae42e7f1780a4b7e76b69c7e2faa887447ccba172938eaa83773249cf0a2b9d6f8fe430f4e226d04bfa3ea44632e31bf0e5
-
Filesize
5.3MB
MD50175e4799bd7d164ccd2e04f446340ac
SHA19193f00626d66b931621fe0c75bdaae32d307cfd
SHA256e8301bb49866edfa35d54ae5cd0f334408e4727beff45a3c9047ea2334df6ddf
SHA512f8aec97617856e614bdf8f64fcc14d842f60e1da4d853bde79d4322567c79caee90b487b303b338b3acbe9c69ab8729a3032e5526ebd208ef728cddcc48ffa53
-
Filesize
5.3MB
MD521716a6ee5e2a256e86c6a8d7f6a4ae9
SHA16428a8a62ef98543997e80e4421299cab596cf03
SHA256caed0162d36522aa92f502df0be9c384c53210e16b7103ff72cbe07de40d96be
SHA512baeed1334c703c97951eeace988993bb6c57ca2e9acbd2ccf389d417c38357b6dfa1e73e689fc3400472914acc002bb38c2ca77e0836bf069f8600409eea0543
-
Filesize
5.3MB
MD5241de30333dffd42338d40e889f94f2b
SHA182b103568b4eb2f10a9038fb2949212ffc308332
SHA2566460f95666e9d89a4cdf87724bc9472f999a8bd5c658fb6e4fddb5d6e17ff5ca
SHA51269942ff4c241cc34df6c1e508fa4c2d5101005463cb55b0acc16154daf80d6fc37f3d8c070b5b8cbe2670e634e70231efe50d94ef75b7dbef6622a98dd117dcf
-
Filesize
5.3MB
MD5f5130fdefb6f23dfd05e4d040866c767
SHA11ade5c56ea2c56ac4ad64c22322f6a70c85a6ec6
SHA2569039999a2a70bec7720104bdafd72106eea12027bdd38bb591b166fb79bfea90
SHA5124e826ddc9d79eaa7a088f880dcc9f1bad32c56e86fb90ce1846148af9204e7262f791359f3f9e5e34d9e2fd22b6eacd647c9ac3e490679f6bdaa5ca7ccd6a938
-
Filesize
5.3MB
MD5bfe2d9ad74641ee0a66c2e59f937c8a7
SHA1d1b58cfd1cf4ef3636a7e207bec8dead293e7fa7
SHA25662ed9dcefebd9bedbe31654fd063b6dd33b99c2ad9e4f6a667ed3c9266870d1e
SHA512532271a139d16a8dcc63546f6a1d421ef20be8323ad0284166285519f71de74868ca379dc08670d08e2651dbb820797f54220cfb79224e4566a710e9f081b49b
-
\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe
Filesize1.6MB
MD572d5165e0744f25f33618830f5fff579
SHA1a4138dc2ff4eb6e62ce3b7d0891931062bd63de7
SHA256814cc0aa61ca1827c3c38a4619b974db6c7325c41cb1facd6aec57fd97c54fc8
SHA51259a2cd04cfc3c329d0e198e32c91ec2911e5d24caf1f1afbfe1dde52700d9e89f82c289b9deed1d819f6265e897f3f5e75ba45cab05b0b0570245fadc39d1cb9
-
Filesize
5.3MB
MD5c71e745a2d45cb7353c7f527c97c9115
SHA115499d15a6ecbd60ab2723c9b61e5e5afc84048c
SHA256eaf3e2e75aa573c24dfc588b5cc697b1288c826b12f8435d87fabb8a47312906
SHA512517964a4654f8103330fdb514220eddef69efdfdcc39f70c44f4dd5af1a34175eeaeaf3e1d6224141063a1603a3bdd1e88977c29e6726ecf34ccb4f16bdd93c2