Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 16:15
Static task
static1
General
-
Target
setup.exe
-
Size
880KB
-
MD5
43d3ff349ad31e0ad76201755445cb1e
-
SHA1
7b3b15c369203cf892fb0b023201c5627e23973a
-
SHA256
5c402fd8244e177338a2a8f0c7b8df055d5a06ebd7a5225edb3d3cdaf1d1c749
-
SHA512
771f98fcade1687c3714e6631d800ba8f186cc6de46ee36e52e78d04727f0bc7f9352d5f32788a315bd1dc5b84fabd585ea50c1bf32bbd7fc168b87a8a97d101
-
SSDEEP
24576:L20Bj512nz5ME9t+Fez6ovAJv9aGk3KgY7rmvZf5/I:L2Xzh/fvAJ4GkJECvTI
Malware Config
Signatures
-
Possible privilege escalation attempt 12 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 4636 icacls.exe 4024 icacls.exe 3104 takeown.exe 4340 icacls.exe 876 takeown.exe 1904 icacls.exe 644 icacls.exe 3312 takeown.exe 740 takeown.exe 2148 takeown.exe 2728 icacls.exe 1404 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
installer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation installer.exe -
Executes dropped EXE 2 IoCs
Processes:
setup.tmpinstaller.exepid process 3368 setup.tmp 2804 installer.exe -
Loads dropped DLL 8 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 4576 regsvr32.exe 4576 regsvr32.exe 4260 regsvr32.exe 3608 regsvr32.exe 4072 regsvr32.exe 4072 regsvr32.exe 4072 regsvr32.exe 3720 regsvr32.exe -
Modifies file permissions 1 TTPs 12 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 2728 icacls.exe 1404 takeown.exe 740 takeown.exe 4340 icacls.exe 1904 icacls.exe 3312 takeown.exe 4636 icacls.exe 4024 icacls.exe 3104 takeown.exe 876 takeown.exe 2148 takeown.exe 644 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 33 IoCs
Processes:
cmd.exemmc.exeregsvr32.exedescription ioc process File created C:\Windows\SysWOW64\GroupPolicy\Adm\inetres.adm cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\wuau.adm cmd.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe File created C:\Windows\SysWOW64\GPBAK\gpedit.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\fdeploy.dll cmd.exe File created C:\Windows\SysWOW64\GPBAK\gpedit.msc cmd.exe File opened for modification C:\Windows\SysWOW64\fdeploy.dll cmd.exe File created C:\Windows\SysWOW64\gpedit.msc cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\gpedit.dll cmd.exe File opened for modification C:\Windows\SysWOW64\fde.dll cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\system.adm cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\inetres.adm cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\wuau.adm cmd.exe File opened for modification C:\Windows\SysWOW64\gpedit.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\conf.adm cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\gptext.dll cmd.exe File opened for modification C:\Windows\SysWOW64\appmgr.dll cmd.exe File opened for modification C:\Windows\SysWOW64\gpedit.msc cmd.exe File opened for modification C:\Windows\SysWOW64\rsop.msc regsvr32.exe File created C:\Windows\SysWOW64\GPBAK\fde.dll cmd.exe File created C:\Windows\SysWOW64\GPBAK\appmgr.dll cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\conf.adm cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\wmplayer.adm cmd.exe File created C:\Windows\SysWOW64\GPBAK\gptext.dll cmd.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\SysWOW64\GPBAK\appmgr.dll cmd.exe File created C:\Windows\SysWOW64\GPBAK\fdeploy.dll cmd.exe File opened for modification C:\Windows\SysWOW64\gptext.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\system.adm cmd.exe File opened for modification C:\Windows\system32\gpedit.msc mmc.exe File opened for modification C:\Windows\SysWOW64\GPBAK\fde.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\gpedit.msc cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\wmplayer.adm cmd.exe -
Drops file in Windows directory 3 IoCs
Processes:
setup.tmpdescription ioc process File opened for modification C:\Windows\unins000.dat setup.tmp File created C:\Windows\unins000.dat setup.tmp File created C:\Windows\is-6C4QT.tmp setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
regsvr32.exeregsvr32.exesetup.exesetup.tmpregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\ = "Administrative Templates (Computers)" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{942A8E4F-A261-11D1-A760-00C04FB9603F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F637904-2CAB-4F0E-8688-D3717EBD2975}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63E23168-BFF7-4E87-A246-EF024425E4EC}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FDE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E45546F-6D52-4D10-B702-9C2E67232E62}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}\InProcServer32\ = "%SystemRoot%\\SysWow64\\GPEdit.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\ = "Software installation" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{7E45546F-6D52-4D10-B702-9C2E67232E62}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{942A8E4F-A261-11D1-A760-00C04FB9603F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{7E45546F-6D52-4D10-B702-9C2E67232E62}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FDE.1\ = "Folder Redirection Editor" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66660-4972-11D1-A7CA-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E45546F-6D52-4D10-B702-9C2E67232E62}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FDE5092-AA2A-11D1-A7D4-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B6664F-4972-11D1-A7CA-0000F87571E3}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\InProcServer32\ = "%SystemRoot%\\SysWow64\\gptext.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FDE.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66661-4972-11D1-A7CA-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66661-4972-11D1-A7CA-0000F87571E3}\InProcServer32 regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 5040 mmc.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exemmc.exedescription pid process Token: SeTakeOwnershipPrivilege 740 takeown.exe Token: SeTakeOwnershipPrivilege 876 takeown.exe Token: SeTakeOwnershipPrivilege 2148 takeown.exe Token: SeTakeOwnershipPrivilege 1404 takeown.exe Token: SeTakeOwnershipPrivilege 3312 takeown.exe Token: 33 5040 mmc.exe Token: SeIncBasePriorityPrivilege 5040 mmc.exe Token: 33 5040 mmc.exe Token: SeIncBasePriorityPrivilege 5040 mmc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
setup.tmppid process 3368 setup.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mmc.exepid process 5040 mmc.exe 5040 mmc.exe 5040 mmc.exe 5040 mmc.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
setup.exesetup.tmpinstaller.execmd.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription pid process target process PID 3332 wrote to memory of 3368 3332 setup.exe setup.tmp PID 3332 wrote to memory of 3368 3332 setup.exe setup.tmp PID 3332 wrote to memory of 3368 3332 setup.exe setup.tmp PID 3368 wrote to memory of 2804 3368 setup.tmp installer.exe PID 3368 wrote to memory of 2804 3368 setup.tmp installer.exe PID 2804 wrote to memory of 1244 2804 installer.exe cmd.exe PID 2804 wrote to memory of 1244 2804 installer.exe cmd.exe PID 1244 wrote to memory of 740 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 740 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 4340 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 4340 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 876 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 876 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 1904 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 1904 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 2148 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 2148 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 2728 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 2728 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 1404 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 1404 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 644 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 644 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 3312 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 3312 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 4636 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 4636 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 3104 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 3104 1244 cmd.exe takeown.exe PID 1244 wrote to memory of 4024 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 4024 1244 cmd.exe icacls.exe PID 1244 wrote to memory of 2832 1244 cmd.exe regsvr32.exe PID 1244 wrote to memory of 2832 1244 cmd.exe regsvr32.exe PID 2832 wrote to memory of 4576 2832 regsvr32.exe regsvr32.exe PID 2832 wrote to memory of 4576 2832 regsvr32.exe regsvr32.exe PID 2832 wrote to memory of 4576 2832 regsvr32.exe regsvr32.exe PID 1244 wrote to memory of 2484 1244 cmd.exe regsvr32.exe PID 1244 wrote to memory of 2484 1244 cmd.exe regsvr32.exe PID 2484 wrote to memory of 4260 2484 regsvr32.exe regsvr32.exe PID 2484 wrote to memory of 4260 2484 regsvr32.exe regsvr32.exe PID 2484 wrote to memory of 4260 2484 regsvr32.exe regsvr32.exe PID 1244 wrote to memory of 1448 1244 cmd.exe regsvr32.exe PID 1244 wrote to memory of 1448 1244 cmd.exe regsvr32.exe PID 1448 wrote to memory of 3608 1448 regsvr32.exe regsvr32.exe PID 1448 wrote to memory of 3608 1448 regsvr32.exe regsvr32.exe PID 1448 wrote to memory of 3608 1448 regsvr32.exe regsvr32.exe PID 1244 wrote to memory of 1564 1244 cmd.exe regsvr32.exe PID 1244 wrote to memory of 1564 1244 cmd.exe regsvr32.exe PID 1564 wrote to memory of 4072 1564 regsvr32.exe regsvr32.exe PID 1564 wrote to memory of 4072 1564 regsvr32.exe regsvr32.exe PID 1564 wrote to memory of 4072 1564 regsvr32.exe regsvr32.exe PID 1244 wrote to memory of 4052 1244 cmd.exe regsvr32.exe PID 1244 wrote to memory of 4052 1244 cmd.exe regsvr32.exe PID 4052 wrote to memory of 3720 4052 regsvr32.exe regsvr32.exe PID 4052 wrote to memory of 3720 4052 regsvr32.exe regsvr32.exe PID 4052 wrote to memory of 3720 4052 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp" /SL5="$70110,660927,54272,C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\Temp\gpedit\installer.exe"C:\Windows\Temp\gpedit\installer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\gpedit\x64.bat" "4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\gpedit.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:740 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\gpedit.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4340 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\fde.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\fde.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1904 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\gptext.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\gptext.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2728 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\appmgr.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\appmgr.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:644 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\fdeploy.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3312 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\fdeploy.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4636 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\GPBAK\*5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3104 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\GPBAK\* /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4024 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\gpedit.dll5⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\gpedit.dll6⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4576 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\fde.dll5⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\fde.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4260 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\gptext.dll5⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\gptext.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3608 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\appmgr.dll5⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\appmgr.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4072 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\fdeploy.dll5⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\fdeploy.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3720
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD5e60a74a65005e4c4f61cbe9c09d368df
SHA11d649b2ab5e08632d64e23f5f9e5675b68e184b4
SHA25678f6692d50d07bd78a97294d196f9ae7d1fc48b058375e5d7bb766970faab758
SHA512a73b84739f4da0827976cf473e63ba3dc7649ab2d37be13c8fb786487d0dc7ef5b2bd446d8c745d75266447357bde4f32f58f1f1c92b156f06f141fea2873856
-
Filesize
5KB
MD55e0ece1cfe6a91a811f49bd35234d4a2
SHA1a458b8ef3d88b3e5ff5c732532ffc7677dea3d2e
SHA256bba8c14f2816d3a107f5609f5be9cfdc63ac1c499d2ee3d73b117af77ba9a6a5
SHA51276801b41aebcaa216134e70f8a8b4bcb416736cee5b241ae5f8ffee89e3c41131a9d69bd9ae25bc3f4d7f09b32f2b05f8e70efe880477f3e6bc28ef1f8d3a929
-
Filesize
289KB
MD576422d781c0fbbb368f8559dc12a39b1
SHA1148ec10a2f8fab845f8e1b2a8c013fcb9451ecb2
SHA2562613b7e843d0ad5959a74d2b2601f5e981e8e1fdc39a44da175ab076c08839a3
SHA5122f86df50d71740cf5e571fa8ba478ba70ec12cf94d96ede50d864dddd92d3b3a5991c874264c05edf0a5824df9b9f1c513a429bc97ec275a7eb001f98097cb84
-
Filesize
39KB
MD56c2422f9265d2ead5cfb47540bd46c71
SHA12e19092c1883ef8578b066569843a3b4156138ee
SHA2563c21ed1d9ee8de426d9dd329499ce4eb9cc24122aea61694fcfe9115c0ea2ea7
SHA512686dc55296226967df3a447271dbb16b72f114de4134efbdebc8c392b2e660fc4dc1fd077054b4d7924e73ccde123ef2098b286a90878ef4b2e2cdd832fe5ce2
-
Filesize
122KB
MD5cba0be94e3985f6db7701e259c73b43b
SHA18b20257ee2add36f93943a33f7f683928d86463d
SHA256a1f26b60132f7db711140b4f170bd3a9c92053bf178bef6d5809e12c483bf7fc
SHA512a9b6cf644980b841e6c1d34483bada401b53ed54bfb0846a069e9a301decb997792939fd45e6a0e5612cc4c50f1fa236f1a190422b4f1abce7cb4a4537510334
-
Filesize
72KB
MD55e12974f81fae8f695e2b4ea05418af3
SHA1c5b887f1b8909b217818c220a9bb21c95a56b387
SHA2565f6331af5e4159a48a5f2da6c9b52c970564f58fc5a889cbcb90f9edca011d90
SHA5126e9c4dc6bd514ff3ab2cd3a808eda06ada2728e7d30985a2211beb99a75004a4128ba9c0582fe471a16fd5cac3e98e6ecfaece1ec498455b5a7135642dbd35f0
-
Filesize
553KB
MD565f8da8424ad27a365f61ccc8621fed2
SHA159979870fcdf01414b9999578d6bee4426feb3ba
SHA25692beba4934d0263fd21827cc96e02689da9abaed571fe88836b3469f70d4a28e
SHA5128f64574466cb4f9646b550899101b62fa84c5b6afe72f517860ff8c27599cc817986d0dc6f42a30d57efe3fe4b27cb1389db3795b71e66f5a4f7e3b07733fd71
-
Filesize
34KB
MD5c9ad01520798dc5cd144c2dce97657c3
SHA190973c38ddb1ace1fbf8eefd043141553868f3c7
SHA256da7f0d319289ddbcd70d110f72778cec6246e342f65fef727219bd575405d89b
SHA5127a2b335a880b034dcac8ff61fc8e87e3af2a54625200a7ee2daa2d5d02753ff713e1e81718b3cd4c4b6bf1eb874994bcfe7761b93e78b3f4298fb545b12d69c6
-
Filesize
195KB
MD5e75463b95cb67b77bb6fa71e4f0539e8
SHA11c78c2d1a5d2ad62d83a8fe2f11e56dbcc3a50ac
SHA256e11ff0a739e09df75cd1af7833ba8fe8783e8b937e2d5f3dc25a8f6d234ba93b
SHA5123df066f7cc265b75010d9ccd1ab5b574b590dd0fc7a73c6ace488ac3a641d4eb9c253393fffaf941083c7fb6b55638457df9abbdd73b48d4b9824196a284e1d9
-
Filesize
1.4MB
MD5bb39b39e6d48620dfd401733bc8dbbd2
SHA1c832b2edbe26eec52bb560b41e99eeaeef8b4b1a
SHA256e749d975062f79b5a63a123f75cd615b0b5b833316ca6fd17b999b884193e194
SHA51269542ef1e8cbb372ee586dceca019b3434df2de2011573150cc3d84dee5fffcfc3b020f99af4239e03d583a6dab2aeb95998062f7b16ea570738930861add93a
-
Filesize
1.7MB
MD581e9f4f83b5a6b43293db805f31629df
SHA128baaaf9958b0f27e60f873ac275cc593b55e2b3
SHA256c4fa35170090dccd405ff951dadc2a64b6e3618728efb5f41ccf939971eabcd2
SHA512a79b9e04ba5c2094c9cdc4e738b5fbd900a2dc0613d0fa2002b1cce79293f84f43454c1e8102b307baf6958b8b4fcb96eda84665e987136266df0bfa56926b27
-
Filesize
65KB
MD59780ba64ffd34694fdfa0066b907bd04
SHA1ffc36cfb3934499c73092751a5eb406720eb915b
SHA256c954c69ee2490819cee734265470a3cc1cec1159ab5233258769ef6f703509eb
SHA512eb5d672bf06c7943618e10b52e44427689c3d373c4eb5e196aa26aa88e7bba91a99a2d263789ea11eb6c37fee2bf57d34d6d8dc1aae54b90185b3dc76e5f8806
-
Filesize
39KB
MD5989878dae9f52b78fb79b49ef9759ec0
SHA194cc11280f7cd7fd93652f40013e79c15f2e751a
SHA2569f0f5b397eb903c36a668ffa7274574994d56b832439b750f4e85e472253bfea
SHA5126d5b01d4e263a35df6abc9a7a8e1d22c27c017a2c8f2a33b5a432ac1d8bdd95629afb68d4699c987e0c951f20ef1b81a66ff794aa1ea3610c0306d44d28700a3
-
Filesize
2KB
MD56c718c722c6b289de25ce1c758fdf970
SHA106264f2bcde0dc43b035340ec2f36ed04999a30e
SHA256a13339020b5b3ccb7e185ff26b9a9916a48663dc0ce6d88c3d310556ad4a733f
SHA512ff3b2a737de7b40d10ddb18cebd8993fd0e809f07ced2b7931fcb3cbcaaa2e0fde34b0fb0693b2ee667688c2fa1b54593f48244d4d9f144dae5e6beda093babb