Malware Analysis Report

2024-11-13 18:04

Sample ID 241109-tqedqaxfpb
Target setup.exe
SHA256 5c402fd8244e177338a2a8f0c7b8df055d5a06ebd7a5225edb3d3cdaf1d1c749
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5c402fd8244e177338a2a8f0c7b8df055d5a06ebd7a5225edb3d3cdaf1d1c749

Threat Level: Likely malicious

The file setup.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 16:15

Reported

2024-11-09 16:18

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\gpedit\installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp N/A
N/A N/A C:\Windows\Temp\gpedit\installer.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\GroupPolicy\Adm\inetres.adm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\wuau.adm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Windows\system32\mmc.exe N/A
File created C:\Windows\SysWOW64\GPBAK\gpedit.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GPBAK\fdeploy.dll C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\GPBAK\gpedit.msc C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fdeploy.dll C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\gpedit.msc C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GPBAK\gpedit.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fde.dll C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\GroupPolicy\Adm\system.adm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\inetres.adm C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\GroupPolicy\Adm\wuau.adm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\gpedit.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\conf.adm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GPBAK\gptext.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\appmgr.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\gpedit.msc C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\rsop.msc C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\GPBAK\fde.dll C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\GPBAK\appmgr.dll C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\GroupPolicy\Adm\conf.adm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\wmplayer.adm C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\GPBAK\gptext.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\system32\mmc.exe N/A
File opened for modification C:\Windows\SysWOW64\GPBAK\appmgr.dll C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\GPBAK\fdeploy.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\gptext.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\system.adm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\gpedit.msc C:\Windows\system32\mmc.exe N/A
File opened for modification C:\Windows\SysWOW64\GPBAK\fde.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\GPBAK\gpedit.msc C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\GroupPolicy\Adm\wmplayer.adm C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp N/A
File created C:\Windows\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp N/A
File created C:\Windows\is-6C4QT.tmp C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\ = "Administrative Templates (Computers)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{942A8E4F-A261-11D1-A760-00C04FB9603F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F637904-2CAB-4F0E-8688-D3717EBD2975}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63E23168-BFF7-4E87-A246-EF024425E4EC}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FDE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E45546F-6D52-4D10-B702-9C2E67232E62}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}\InProcServer32\ = "%SystemRoot%\\SysWow64\\GPEdit.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\ = "Software installation" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{7E45546F-6D52-4D10-B702-9C2E67232E62}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{942A8E4F-A261-11D1-A760-00C04FB9603F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{7E45546F-6D52-4D10-B702-9C2E67232E62}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FDE.1\ = "Folder Redirection Editor" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66660-4972-11D1-A7CA-0000F87571E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E45546F-6D52-4D10-B702-9C2E67232E62}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FDE5092-AA2A-11D1-A7D4-0000F87571E3}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B6664F-4972-11D1-A7CA-0000F87571E3}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\InProcServer32\ = "%SystemRoot%\\SysWow64\\gptext.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FDE.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66661-4972-11D1-A7CA-0000F87571E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B66661-4972-11D1-A7CA-0000F87571E3}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp
PID 3332 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp
PID 3332 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp
PID 3368 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp C:\Windows\Temp\gpedit\installer.exe
PID 3368 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp C:\Windows\Temp\gpedit\installer.exe
PID 2804 wrote to memory of 1244 N/A C:\Windows\Temp\gpedit\installer.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 1244 N/A C:\Windows\Temp\gpedit\installer.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1244 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2832 wrote to memory of 4576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 4576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 4576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1244 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2484 wrote to memory of 4260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2484 wrote to memory of 4260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2484 wrote to memory of 4260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1244 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1448 wrote to memory of 3608 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1448 wrote to memory of 3608 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1448 wrote to memory of 3608 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1244 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1564 wrote to memory of 4072 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1564 wrote to memory of 4072 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1564 wrote to memory of 4072 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1244 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4052 wrote to memory of 3720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4052 wrote to memory of 3720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4052 wrote to memory of 3720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp" /SL5="$70110,660927,54272,C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\Temp\gpedit\installer.exe

"C:\Windows\Temp\gpedit\installer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\gpedit\x64.bat" "

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\gpedit.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\gpedit.dll /grant:r Admin:f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\fde.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\fde.dll /grant:r Admin:f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\gptext.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\gptext.dll /grant:r Admin:f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\appmgr.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\appmgr.dll /grant:r Admin:f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\fdeploy.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\fdeploy.dll /grant:r Admin:f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\GPBAK\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\GPBAK\* /grant:r Admin:f

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Windows\SysWOW64\gpedit.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Windows\SysWOW64\gpedit.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Windows\SysWOW64\fde.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Windows\SysWOW64\fde.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Windows\SysWOW64\gptext.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Windows\SysWOW64\gptext.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Windows\SysWOW64\appmgr.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Windows\SysWOW64\appmgr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Windows\SysWOW64\fdeploy.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Windows\SysWOW64\fdeploy.dll

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3332-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3332-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp

MD5 e60a74a65005e4c4f61cbe9c09d368df
SHA1 1d649b2ab5e08632d64e23f5f9e5675b68e184b4
SHA256 78f6692d50d07bd78a97294d196f9ae7d1fc48b058375e5d7bb766970faab758
SHA512 a73b84739f4da0827976cf473e63ba3dc7649ab2d37be13c8fb786487d0dc7ef5b2bd446d8c745d75266447357bde4f32f58f1f1c92b156f06f141fea2873856

memory/3368-10-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3332-13-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3368-14-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Windows\Temp\gpedit\Installer.exe

MD5 5e0ece1cfe6a91a811f49bd35234d4a2
SHA1 a458b8ef3d88b3e5ff5c732532ffc7677dea3d2e
SHA256 bba8c14f2816d3a107f5609f5be9cfdc63ac1c499d2ee3d73b117af77ba9a6a5
SHA512 76801b41aebcaa216134e70f8a8b4bcb416736cee5b241ae5f8ffee89e3c41131a9d69bd9ae25bc3f4d7f09b32f2b05f8e70efe880477f3e6bc28ef1f8d3a929

memory/2804-51-0x00007FFA238D5000-0x00007FFA238D6000-memory.dmp

memory/2804-52-0x00007FFA23620000-0x00007FFA23FC1000-memory.dmp

memory/2804-53-0x000000001BF40000-0x000000001C40E000-memory.dmp

memory/2804-54-0x00007FFA23620000-0x00007FFA23FC1000-memory.dmp

C:\Windows\Temp\gpedit\x64.bat

MD5 6c718c722c6b289de25ce1c758fdf970
SHA1 06264f2bcde0dc43b035340ec2f36ed04999a30e
SHA256 a13339020b5b3ccb7e185ff26b9a9916a48663dc0ce6d88c3d310556ad4a733f
SHA512 ff3b2a737de7b40d10ddb18cebd8993fd0e809f07ced2b7931fcb3cbcaaa2e0fde34b0fb0693b2ee667688c2fa1b54593f48244d4d9f144dae5e6beda093babb

memory/2804-57-0x00007FFA23620000-0x00007FFA23FC1000-memory.dmp

C:\Windows\Temp\gpedit\gpedit.dll

MD5 65f8da8424ad27a365f61ccc8621fed2
SHA1 59979870fcdf01414b9999578d6bee4426feb3ba
SHA256 92beba4934d0263fd21827cc96e02689da9abaed571fe88836b3469f70d4a28e
SHA512 8f64574466cb4f9646b550899101b62fa84c5b6afe72f517860ff8c27599cc817986d0dc6f42a30d57efe3fe4b27cb1389db3795b71e66f5a4f7e3b07733fd71

C:\Windows\Temp\gpedit\appmgr.dll

MD5 76422d781c0fbbb368f8559dc12a39b1
SHA1 148ec10a2f8fab845f8e1b2a8c013fcb9451ecb2
SHA256 2613b7e843d0ad5959a74d2b2601f5e981e8e1fdc39a44da175ab076c08839a3
SHA512 2f86df50d71740cf5e571fa8ba478ba70ec12cf94d96ede50d864dddd92d3b3a5991c874264c05edf0a5824df9b9f1c513a429bc97ec275a7eb001f98097cb84

C:\Windows\Temp\gpedit\gptext.dll

MD5 e75463b95cb67b77bb6fa71e4f0539e8
SHA1 1c78c2d1a5d2ad62d83a8fe2f11e56dbcc3a50ac
SHA256 e11ff0a739e09df75cd1af7833ba8fe8783e8b937e2d5f3dc25a8f6d234ba93b
SHA512 3df066f7cc265b75010d9ccd1ab5b574b590dd0fc7a73c6ace488ac3a641d4eb9c253393fffaf941083c7fb6b55638457df9abbdd73b48d4b9824196a284e1d9

C:\Windows\Temp\gpedit\wuau.adm

MD5 989878dae9f52b78fb79b49ef9759ec0
SHA1 94cc11280f7cd7fd93652f40013e79c15f2e751a
SHA256 9f0f5b397eb903c36a668ffa7274574994d56b832439b750f4e85e472253bfea
SHA512 6d5b01d4e263a35df6abc9a7a8e1d22c27c017a2c8f2a33b5a432ac1d8bdd95629afb68d4699c987e0c951f20ef1b81a66ff794aa1ea3610c0306d44d28700a3

C:\Windows\Temp\gpedit\wmplayer.adm

MD5 9780ba64ffd34694fdfa0066b907bd04
SHA1 ffc36cfb3934499c73092751a5eb406720eb915b
SHA256 c954c69ee2490819cee734265470a3cc1cec1159ab5233258769ef6f703509eb
SHA512 eb5d672bf06c7943618e10b52e44427689c3d373c4eb5e196aa26aa88e7bba91a99a2d263789ea11eb6c37fee2bf57d34d6d8dc1aae54b90185b3dc76e5f8806

C:\Windows\Temp\gpedit\conf.adm

MD5 6c2422f9265d2ead5cfb47540bd46c71
SHA1 2e19092c1883ef8578b066569843a3b4156138ee
SHA256 3c21ed1d9ee8de426d9dd329499ce4eb9cc24122aea61694fcfe9115c0ea2ea7
SHA512 686dc55296226967df3a447271dbb16b72f114de4134efbdebc8c392b2e660fc4dc1fd077054b4d7924e73ccde123ef2098b286a90878ef4b2e2cdd832fe5ce2

C:\Windows\Temp\gpedit\inetres.adm

MD5 bb39b39e6d48620dfd401733bc8dbbd2
SHA1 c832b2edbe26eec52bb560b41e99eeaeef8b4b1a
SHA256 e749d975062f79b5a63a123f75cd615b0b5b833316ca6fd17b999b884193e194
SHA512 69542ef1e8cbb372ee586dceca019b3434df2de2011573150cc3d84dee5fffcfc3b020f99af4239e03d583a6dab2aeb95998062f7b16ea570738930861add93a

C:\Windows\Temp\gpedit\system.adm

MD5 81e9f4f83b5a6b43293db805f31629df
SHA1 28baaaf9958b0f27e60f873ac275cc593b55e2b3
SHA256 c4fa35170090dccd405ff951dadc2a64b6e3618728efb5f41ccf939971eabcd2
SHA512 a79b9e04ba5c2094c9cdc4e738b5fbd900a2dc0613d0fa2002b1cce79293f84f43454c1e8102b307baf6958b8b4fcb96eda84665e987136266df0bfa56926b27

C:\Windows\Temp\gpedit\gpedit.msc

MD5 c9ad01520798dc5cd144c2dce97657c3
SHA1 90973c38ddb1ace1fbf8eefd043141553868f3c7
SHA256 da7f0d319289ddbcd70d110f72778cec6246e342f65fef727219bd575405d89b
SHA512 7a2b335a880b034dcac8ff61fc8e87e3af2a54625200a7ee2daa2d5d02753ff713e1e81718b3cd4c4b6bf1eb874994bcfe7761b93e78b3f4298fb545b12d69c6

C:\Windows\Temp\gpedit\fdeploy.dll

MD5 5e12974f81fae8f695e2b4ea05418af3
SHA1 c5b887f1b8909b217818c220a9bb21c95a56b387
SHA256 5f6331af5e4159a48a5f2da6c9b52c970564f58fc5a889cbcb90f9edca011d90
SHA512 6e9c4dc6bd514ff3ab2cd3a808eda06ada2728e7d30985a2211beb99a75004a4128ba9c0582fe471a16fd5cac3e98e6ecfaece1ec498455b5a7135642dbd35f0

C:\Windows\Temp\gpedit\fde.dll

MD5 cba0be94e3985f6db7701e259c73b43b
SHA1 8b20257ee2add36f93943a33f7f683928d86463d
SHA256 a1f26b60132f7db711140b4f170bd3a9c92053bf178bef6d5809e12c483bf7fc
SHA512 a9b6cf644980b841e6c1d34483bada401b53ed54bfb0846a069e9a301decb997792939fd45e6a0e5612cc4c50f1fa236f1a190422b4f1abce7cb4a4537510334

memory/4576-104-0x0000000000B80000-0x0000000000C0F000-memory.dmp

memory/4072-113-0x0000000002790000-0x000000000281F000-memory.dmp

memory/3368-119-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3332-120-0x0000000000400000-0x0000000000414000-memory.dmp