Analysis Overview
SHA256
2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552
Threat Level: Shows suspicious behavior
The file 2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Enumerates connected drives
Checks installed software on the system
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Control Panel
Suspicious use of UnmapMainImage
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 07:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 07:12
Reported
2024-11-08 07:14
Platform
win7-20240729-en
Max time kernel
105s
Max time network
115s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ntcms.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rasui.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Drops file in System32 directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rasui.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveBackup | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\srvlib.scr" | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveUtility = "C:\\Windows\\SysWOW64\\msenv.scr" | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60" | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\rasui.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\rasui.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedPropCount = "1" | C:\Windows\SysWOW64\rasui.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\rasui.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000 | C:\Windows\SysWOW64\rasui.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedPropCount = "2" | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004607000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0" | C:\Windows\SysWOW64\rasui.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004608000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000000012800e0000000100330032003800300032000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 | C:\Windows\SysWOW64\rasui.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rasui.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe
"C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe"
C:\Windows\SysWOW64\ntcms.exe
C:\Windows\SysWOW64\ntcms.exe /combine local system
C:\Windows\system32\taskeng.exe
taskeng.exe {94BA1BA8-1E69-450F-B757-6D07A4C32703} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\SysWOW64\rasui.exe
C:\Windows\SysWOW64\rasui.exe nay
Network
| Country | Destination | Domain | Proto |
| US | 199.231.188.109:21 | tcp | |
| US | 199.231.188.109:21 | tcp | |
| US | 199.231.188.109:21 | tcp |
Files
memory/2328-0-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/2328-1-0x0000000001EF0000-0x0000000001F38000-memory.dmp
memory/2328-2-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2328-3-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Windows\SysWOW64\ntcms.exe
| MD5 | 463707993d1b58318cb90ab09a75d7bf |
| SHA1 | e8cd32f9b8f0196864dc0a3d2ab70b54493aad93 |
| SHA256 | ff53b256e4f682ec6b937675206fb8a7410970366fd1f0a0ccbdd516ff94b183 |
| SHA512 | c1aa71584ff78e17bb401332306bd4041baf7c1c9c2ab43397e1ae7b701ccff75cb3e3c0a5bad843738cc63600f53e484bba2a53c086cf070c46773502bf2587 |
C:\Windows\SysWOW64\rasui.exe
| MD5 | 0e1e2f4228974105000cb8f56afe8e8c |
| SHA1 | fb849d7c6efb483655eb5260b31f3575c113ea2e |
| SHA256 | 0ed316d503424fe4a0b78646f082aeb70b9bb632541e97d141e8748bfeb22dee |
| SHA512 | 13f4568916a427a2ca699c5f89336738d8fd186b442f2f193b433431bfbce8ef2554f96f9df78573c75694fc729e7439818e14a711aa759a20593fb4820a1a7a |
C:\Users\Public\Documents\ntuser{4CB43D7F-7DCA-4906-8698-FFFFFFFF8094E303}.pol
| MD5 | 59babb838a876914f6b5402512da3d41 |
| SHA1 | eb72a9af96d374bc1d0045513ae1f4541060a7e5 |
| SHA256 | 443c07a2c83b7b0253a325d2b72ac757c3aa5b41cd749842bc74fb3ee9b26866 |
| SHA512 | 6c7f7fd694df9949b4716d009242b423216aa52e579414505406d6d3fcaa84fd8c9227e55eb80d28ba40068d80fd6f8be089f2b655ebc72872cd226236fa97ea |
memory/2704-74-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\Contacts\desktop.ini
| MD5 | eefa7f76ff11a5ec21bb777b798ac46c |
| SHA1 | 2e7a65ea8427d13a92ea159a5b8859ff99d2a836 |
| SHA256 | 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae |
| SHA512 | 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 07:12
Reported
2024-11-08 07:14
Platform
win10v2004-20241007-en
Max time kernel
101s
Max time network
108s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\lsapc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\engfw.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\srvschd.scr | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\engfw.exe | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\SysWOW64\engfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\SysWOW64\engfw.exe | N/A |
| File created | C:\Windows\SysWOW64\wdmdsp.exe | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File created | C:\Windows\SysWOW64\lsapc.exe | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\englib.scr | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\SysWOW64\engfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\SysWOW64\engfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wdmdsp.exe | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File created | C:\Windows\SysWOW64\englib.scr | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File created | C:\Windows\SysWOW64\srvschd.scr | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File created | C:\Windows\SysWOW64\engfw.exe | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\Contacts\desktop.ini | C:\Windows\SysWOW64\engfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lsapc.exe | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\Contacts | C:\Windows\SysWOW64\engfw.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lsapc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\engfw.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\srvschd.scr" | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveUtility = "C:\\Windows\\SysWOW64\\englib.scr" | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60" | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveBackup | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedPropCount = "1" | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004608000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000000012800e0000000100330032003800300032000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0" | C:\Windows\SysWOW64\engfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedPropCount = "2" | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004607000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\engfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | C:\Windows\SysWOW64\engfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000 | C:\Windows\SysWOW64\engfw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2348 wrote to memory of 876 | N/A | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | C:\Windows\SysWOW64\lsapc.exe |
| PID 2348 wrote to memory of 876 | N/A | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | C:\Windows\SysWOW64\lsapc.exe |
| PID 2348 wrote to memory of 876 | N/A | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | C:\Windows\SysWOW64\lsapc.exe |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe
"C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe"
C:\Windows\SysWOW64\lsapc.exe
C:\Windows\SysWOW64\lsapc.exe /combine local system
C:\Windows\SysWOW64\engfw.exe
C:\Windows\SysWOW64\engfw.exe u0k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 199.231.188.109:21 | tcp | |
| US | 199.231.188.109:21 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/2348-0-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/2348-1-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/2348-2-0x0000000002710000-0x0000000002758000-memory.dmp
memory/2348-3-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sqlinf.exe
| MD5 | b59199877e0d68a5e93fc8ea76374ed1 |
| SHA1 | 7803f160af428bcfb4b9ea2aba07886f232cde4e |
| SHA256 | 5b50e26a01b320f05d66727e9d220d5858cdac203ff62e4b9ced1cafc2683637 |
| SHA512 | 9815ee218c7f737ef662f5fb44844ec17c6b9552e0432f2f8c60aded2fa19bb8157ec0839046ac387f604672137c417a98a8181440869316209a70a9d0e6a210 |
C:\Windows\SysWOW64\lsapc.exe
| MD5 | 69e091b02788a3b03799f2db5b66f5b0 |
| SHA1 | 669bd7ef19ee7747b40eda81dee0f15cec9389d8 |
| SHA256 | e7f9bd4eaaa2c8de00768446fa3c57c940caf5d0a575f9e4f860621a70dd51a5 |
| SHA512 | 22006fa4331599894f9f38285d57d732a4ace456ea5aa6f65d6325bce5fd4a35f09f527915ebe33169a048da68772549ef6f349a6b8cbebd757ff3207b6a12f4 |
C:\Users\Admin\AppData\Local\Temp\libenv.scr
| MD5 | 933b3c5d3728ef6e08af4ae579c00d11 |
| SHA1 | 42dbfbedd813e6dbea1398323f085a88fa014293 |
| SHA256 | 47f3405ab0da5af125bcc6ebb6d17a1573b090c54d7a0a00630ec170ccc4b9d1 |
| SHA512 | 054c8fe49dad9571f7a1c2d015fdf2cc3589113517dc246baa3e68a62c186243d860566fa6339beec07a29c480f57a1009db4f51b813dfae4c26193b82baea1b |
C:\Windows\SysWOW64\engfw.exe
| MD5 | 2fc6f3f4cb92c88f72467a1dd2de9b3f |
| SHA1 | 20761b44adc932cd3fec230cc303f0aa4bf456fc |
| SHA256 | 4be6da46eae171e4a1f100eb37b7fdd8381b3dc564f94a5228778c1a64214cef |
| SHA512 | cf412c73be7b97121ce149007696419572721c9f822250152ce88bad95e0951cd4129e44bc6cc6ab57212d42707042f9965a1232a0365edf76e7c7f0c41cbc04 |
C:\Users\Public\Documents\ntuser{4CB43D7F-7DCA-4906-8698-FFFFFFFF8094E303}.pol
| MD5 | 59babb838a876914f6b5402512da3d41 |
| SHA1 | eb72a9af96d374bc1d0045513ae1f4541060a7e5 |
| SHA256 | 443c07a2c83b7b0253a325d2b72ac757c3aa5b41cd749842bc74fb3ee9b26866 |
| SHA512 | 6c7f7fd694df9949b4716d009242b423216aa52e579414505406d6d3fcaa84fd8c9227e55eb80d28ba40068d80fd6f8be089f2b655ebc72872cd226236fa97ea |
memory/3664-72-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/3664-73-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/3664-75-0x0000000000400000-0x00000000005AF000-memory.dmp