Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe
Resource
win7-20240903-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe
-
Size
3.3MB
-
MD5
fc8c310f416f252bd419dc55cc08e7a9
-
SHA1
37c58bd11af4de0b0c2aa744b142cc38660bfd4f
-
SHA256
867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d
-
SHA512
bb45a141c53f9917473a691ae3889fe7ce06d96682ff33eced5d20b1e8972fde75cbb26ea9e4ca799211c0cd2b5e8a3a9977a200796a5c285d0fcb0d71e5491c
-
SSDEEP
98304:AXz+HqdYDMjxN3b8/rfb6ray6lwhKW8NArojH:oKHqCm8/n6WWhKdA8j
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
update_kor.exesvchost.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update_kor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate update_kor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svchost.exe -
Drops startup file 1 IoCs
Processes:
867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\èíôîðìåð.txt 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe -
Executes dropped EXE 6 IoCs
Processes:
svchost.exeupdate_kor.exeupdate_kor.exesvchost.exesvchost.exeupdate_kor.exepid Process 2536 svchost.exe 2532 update_kor.exe 1164 update_kor.exe 2804 svchost.exe 2424 svchost.exe 2044 update_kor.exe -
Loads dropped DLL 5 IoCs
Processes:
867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exesvchost.exeupdate_kor.exeupdate_kor.exepid Process 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 2536 svchost.exe 2532 update_kor.exe 1164 update_kor.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Local\\winrar.exe" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyip.akamai.com -
Drops file in System32 directory 64 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\eval\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\WCN\ja-JP\Add_a_device_or_computer_to_a_network_usb.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremiumE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\Enterprise\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremium\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremium\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\eval\StarterN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\StarterE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\eval\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\WCN\es-ES\Add_a_device_or_computer_to_a_network_usb.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\StarterN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\eval\Starter\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\Enterprise\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\eval\StarterN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\OEM\Starter\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumN\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumE\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasic\license.rtf svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\ttt.jpg" svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
svchost.exeupdate_kor.exedescription pid Process procid_target PID 2804 set thread context of 2424 2804 svchost.exe 37 PID 1164 set thread context of 2044 1164 update_kor.exe 38 -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip svchost.exe File opened for modification C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\jp_86ef8c9ba37da226\HELP_What_is_Activation.rtf svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg svchost.exe File opened for modification C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\it_ec2a8bc0ed056604\OOBE_HELP_Change_Computer_Name.rtf svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG svchost.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg svchost.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG svchost.exe File opened for modification C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\es_5a6758686ecd5550\OOBE_HELP_Opt_in_Details.rtf svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG svchost.exe File opened for modification \??\c:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg svchost.exe File opened for modification \??\c:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip svchost.exe File opened for modification C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\it_cca6156795327692\Add_a_device_or_computer_to_a_network_usb.rtf svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG svchost.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG svchost.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg svchost.exe File opened for modification \??\c:\Program Files\ShowSuspend.rtf svchost.exe -
Drops file in Windows directory 64 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_it-it_55c61b7163f1d9d7\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_es-es_89d2a71d6ad0d796\license.rtf svchost.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Scenes\img25.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d485d887fbb98cb1\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\img1.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_9ca2f2b2bcaf5c74\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_bc81c6f47434adc9\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_e0b898948cb68a39\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_67611fe1e3bbd9af\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_en-us_79dfc17d433a5b9b\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_24090ddf20410f44\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_34ce9890e8f1d633\license.rtf svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1028\eula.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b279b74d7b64cee2\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\Tulip.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6bb9b334fc977631\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_it-it_67246ac68055bec8\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_en-us_2de8aeb5b24c74bb\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_en-us_da79a19cb62ad143\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_en-us_247c7f7ff2fcb4c5\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8e3f46bd6c2a35fd\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_5cb8f6ec6f92741b\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_it-it_90d7f5ba1d001eec\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_es-es_0cc29e4c31ae923c\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp1.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_it-it_e56e3f3b8f9b2dba\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3d388699ff3b7478\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_de-de_7048d71b28d25628\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_it-it_9ba9f45460921012\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_de-de_92688006fc394ff6\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_es-es_4067deb69ebef800\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_f04371ec21c4626e\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8d33546de1c5ef03\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Penguins.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_de-de_cdf812d16a0d5678\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ff8d5f6972fa091\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_d06b8198a5457cc2\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9ab5b3b70c426c71\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d34b7c772c3fe85c\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_6a8fc4b7a7c6fdc9\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_b0d713c04fcdb338\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_es-es_0eca880e968e1432\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_46fe072361f2f103\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_es-es_63977ca5c45d5c4f\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a8b009b400805afb\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c1287167d3ec9a72\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_78dc6b5cebc32226\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img7.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-h..ctivation.resources_31bf3856ad364e35_6.1.7600.16385_de- svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Stars.jpg svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b5243d22ab9c9bd0\privacy.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_c072eb9cead5fca1\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\HandPrints.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_535b78c76c233768\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_1f3ca993b38eba0f\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_es- svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_en-us_75927153ac93fb86\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4d3ea5f68c65dc1f\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_en-us_29fa16f1e581f525\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp6.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_24fc9bf8d1741053\license.rtf svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\img28.jpg svchost.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8e22d46614494e37\vofflps.rtf svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exesvchost.exeupdate_kor.exesvchost.exeupdate_kor.exesvchost.exeupdate_kor.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update_kor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update_kor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update_kor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
update_kor.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 update_kor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString update_kor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier update_kor.exe -
Modifies Control Panel 3 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop svchost.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\TileWallpaper = "0" svchost.exe -
Modifies registry class 4 IoCs
Processes:
update_kor.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2} update_kor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InProcServer32 update_kor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windowscodecs.dll" update_kor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InProcServer32\ThreadingModel = "Both" update_kor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
update_kor.exepid Process 2044 update_kor.exe 2044 update_kor.exe 2044 update_kor.exe 2044 update_kor.exe 2044 update_kor.exe 2044 update_kor.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
svchost.exeupdate_kor.exedescription pid Process Token: 33 2804 svchost.exe Token: SeIncBasePriorityPrivilege 2804 svchost.exe Token: 33 2804 svchost.exe Token: SeIncBasePriorityPrivilege 2804 svchost.exe Token: 33 1164 update_kor.exe Token: SeIncBasePriorityPrivilege 1164 update_kor.exe Token: 33 1164 update_kor.exe Token: SeIncBasePriorityPrivilege 1164 update_kor.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exesvchost.exeupdate_kor.exesvchost.exeupdate_kor.exesvchost.exedescription pid Process procid_target PID 2372 wrote to memory of 2536 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 30 PID 2372 wrote to memory of 2536 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 30 PID 2372 wrote to memory of 2536 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 30 PID 2372 wrote to memory of 2536 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 30 PID 2372 wrote to memory of 2532 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 31 PID 2372 wrote to memory of 2532 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 31 PID 2372 wrote to memory of 2532 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 31 PID 2372 wrote to memory of 2532 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 31 PID 2372 wrote to memory of 2532 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 31 PID 2372 wrote to memory of 2532 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 31 PID 2372 wrote to memory of 2532 2372 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe 31 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2536 wrote to memory of 2804 2536 svchost.exe 32 PID 2804 wrote to memory of 2424 2804 svchost.exe 37 PID 2804 wrote to memory of 2424 2804 svchost.exe 37 PID 2804 wrote to memory of 2424 2804 svchost.exe 37 PID 2804 wrote to memory of 2424 2804 svchost.exe 37 PID 2804 wrote to memory of 2424 2804 svchost.exe 37 PID 2804 wrote to memory of 2424 2804 svchost.exe 37 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 2532 wrote to memory of 1164 2532 update_kor.exe 33 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 1164 wrote to memory of 2044 1164 update_kor.exe 38 PID 2424 wrote to memory of 2148 2424 svchost.exe 41 PID 2424 wrote to memory of 2148 2424 svchost.exe 41 PID 2424 wrote to memory of 2148 2424 svchost.exe 41 PID 2424 wrote to memory of 2148 2424 svchost.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe"C:\Users\Admin\AppData\Local\Temp\867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd /c mmm.bat5⤵
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
-
-
C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5bf55292f19b02c6dd1934f2ea2c6ae9d
SHA10dc0e99b63b557bd0eef88422a98bdd944bc0d86
SHA2560a233cde4c8f447e9de44205506e62fee592a625f9c4e1ee1394a5de9712902e
SHA512e570ce99327527cd3d63256eac3763ba88e33ff4110bbcbeddce0860e88b45afb8180ef82a01669a6e5205a28353a9fce95a1cd9906da10670f9a7c9d947c500
-
Filesize
3.0MB
MD58fd9f85c03159c229734734c1c60277c
SHA1db142eed904c4a9f7d689dc7c128f35c14dfe50b
SHA256aedb77172cc2a283957bf992b75f26cfe747d274edae7ad2d62dda841cf7cdef
SHA5120d0006d1b146db6ed3a320ef73eece5d477bff4a7d5f022f59c456d617fe485650ad6e51c4fd8e896d46a23dc9c2679b958e8d47d8ddcabddeae91abc47442f6
-
C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_08-11-2024_01-08-32-75FA78AAA2E6C1A2CFB8FA86803BF1D7-ABDG.bin
Filesize1KB
MD52504acbf8156b383f86bc1761f0a273c
SHA1d2204fcc1e34d10f574ad5b005218ee09942a3b2
SHA25667f989204383e80b13850c7b457f2b34e1942d2d9e1531edb0588e93279135c8
SHA5128ee9869068f640dcc0831dea061f5a1e6ece9978fab19660154919059acfc3d6beb59e3562cacc0b056ad0edcb68a55f05cb271e5d80254bb9c6b86e1fc95644
-
Filesize
3.6MB
MD5a4d579242cbf6c4761124161bf9e1444
SHA16f6c25411ee73052b7e37dc7cbd3d2bdf7de0552
SHA25607167fead787919772459efaf1a560c683dfa674ed6f8b1b4f7cf980ffdeeda0
SHA5121d6bffda5074c570a846893d61e42d0920b0bd79ae071bb1471df44d21c2ab30f2e9efbbc197ea84e3441a4ed58f541d2ca1c171bb5d94bbf1e15cb52e296e8f