Analysis
-
max time kernel
96s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 14:05
Behavioral task
behavioral1
Sample
dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe
Resource
win10v2004-20241007-en
General
-
Target
dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe
-
Size
405KB
-
MD5
2ecdf709804ba16898ef685bc2c94740
-
SHA1
09604599e8a761a85198d823163b9e2995a67968
-
SHA256
dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1
-
SHA512
94728a1b711369570b0e969eb91223b4fed0d2c110cd321ecb566ea5ba36a81b9b0c8e190e70c8a02fec8ea5cd732f4b9c8e0c0b155f1cbb6e7a4468a223a123
-
SSDEEP
6144:foYn9sE89XKTK/J6brj3nmHWrt63P5A9GJ6vbmF4ifKyjlKI4r3mzzrLVIo8ZJr6:ZsNDBIrCHWux6iFTJf4r2zPBv8Xi8xS
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\javaruntime.exe = "C:\\Windows\\javaruntime.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winprocess.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winprocess.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe -
Executes dropped EXE 3 IoCs
pid Process 3136 javaruntime.exe 4832 javaruntime.exe 4508 javaruntime.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaruntime = "C:\\Windows\\javaruntime.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2340 set thread context of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 set thread context of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 3136 set thread context of 1612 3136 javaruntime.exe 101 PID 3136 set thread context of 4832 3136 javaruntime.exe 104 PID 3136 set thread context of 4508 3136 javaruntime.exe 106 -
resource yara_rule behavioral2/memory/2340-0-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/2340-15-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/2340-14-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/2756-16-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2340-21-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/2756-18-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2756-22-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000d000000023b0f-38.dat upx behavioral2/memory/3136-46-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/3136-50-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/2756-52-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3136-51-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/3136-54-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/4508-64-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-66-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/3136-71-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/4508-62-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/2756-76-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4832-77-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4508-80-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-82-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-85-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-87-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-89-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-92-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-94-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-99-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4508-101-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\javaruntime.exe dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe File created C:\Windows\javaruntime.exe dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2620 1612 WerFault.exe 101 2676 1612 WerFault.exe 101 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4060 reg.exe 4284 reg.exe 4468 reg.exe 4272 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 1 4508 javaruntime.exe Token: SeCreateTokenPrivilege 4508 javaruntime.exe Token: SeAssignPrimaryTokenPrivilege 4508 javaruntime.exe Token: SeLockMemoryPrivilege 4508 javaruntime.exe Token: SeIncreaseQuotaPrivilege 4508 javaruntime.exe Token: SeMachineAccountPrivilege 4508 javaruntime.exe Token: SeTcbPrivilege 4508 javaruntime.exe Token: SeSecurityPrivilege 4508 javaruntime.exe Token: SeTakeOwnershipPrivilege 4508 javaruntime.exe Token: SeLoadDriverPrivilege 4508 javaruntime.exe Token: SeSystemProfilePrivilege 4508 javaruntime.exe Token: SeSystemtimePrivilege 4508 javaruntime.exe Token: SeProfSingleProcessPrivilege 4508 javaruntime.exe Token: SeIncBasePriorityPrivilege 4508 javaruntime.exe Token: SeCreatePagefilePrivilege 4508 javaruntime.exe Token: SeCreatePermanentPrivilege 4508 javaruntime.exe Token: SeBackupPrivilege 4508 javaruntime.exe Token: SeRestorePrivilege 4508 javaruntime.exe Token: SeShutdownPrivilege 4508 javaruntime.exe Token: SeDebugPrivilege 4508 javaruntime.exe Token: SeAuditPrivilege 4508 javaruntime.exe Token: SeSystemEnvironmentPrivilege 4508 javaruntime.exe Token: SeChangeNotifyPrivilege 4508 javaruntime.exe Token: SeRemoteShutdownPrivilege 4508 javaruntime.exe Token: SeUndockPrivilege 4508 javaruntime.exe Token: SeSyncAgentPrivilege 4508 javaruntime.exe Token: SeEnableDelegationPrivilege 4508 javaruntime.exe Token: SeManageVolumePrivilege 4508 javaruntime.exe Token: SeImpersonatePrivilege 4508 javaruntime.exe Token: SeCreateGlobalPrivilege 4508 javaruntime.exe Token: 31 4508 javaruntime.exe Token: 32 4508 javaruntime.exe Token: 33 4508 javaruntime.exe Token: 34 4508 javaruntime.exe Token: 35 4508 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe Token: SeDebugPrivilege 4832 javaruntime.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 2988 svchost.exe 2756 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 3136 javaruntime.exe 3136 javaruntime.exe 4832 javaruntime.exe 4508 javaruntime.exe 4508 javaruntime.exe 4508 javaruntime.exe 4508 javaruntime.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2988 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 91 PID 2340 wrote to memory of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 2340 wrote to memory of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 2340 wrote to memory of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 2340 wrote to memory of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 2340 wrote to memory of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 2340 wrote to memory of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 2340 wrote to memory of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 2340 wrote to memory of 2756 2340 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 92 PID 2756 wrote to memory of 1740 2756 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 94 PID 2756 wrote to memory of 1740 2756 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 94 PID 2756 wrote to memory of 1740 2756 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 94 PID 1740 wrote to memory of 1976 1740 cmd.exe 97 PID 1740 wrote to memory of 1976 1740 cmd.exe 97 PID 1740 wrote to memory of 1976 1740 cmd.exe 97 PID 2756 wrote to memory of 3136 2756 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 98 PID 2756 wrote to memory of 3136 2756 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 98 PID 2756 wrote to memory of 3136 2756 dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe 98 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 1612 3136 javaruntime.exe 101 PID 3136 wrote to memory of 4832 3136 javaruntime.exe 104 PID 3136 wrote to memory of 4832 3136 javaruntime.exe 104 PID 3136 wrote to memory of 4832 3136 javaruntime.exe 104 PID 3136 wrote to memory of 4832 3136 javaruntime.exe 104 PID 3136 wrote to memory of 4832 3136 javaruntime.exe 104 PID 3136 wrote to memory of 4832 3136 javaruntime.exe 104 PID 3136 wrote to memory of 4832 3136 javaruntime.exe 104 PID 3136 wrote to memory of 4832 3136 javaruntime.exe 104 PID 3136 wrote to memory of 4508 3136 javaruntime.exe 106 PID 3136 wrote to memory of 4508 3136 javaruntime.exe 106 PID 3136 wrote to memory of 4508 3136 javaruntime.exe 106 PID 3136 wrote to memory of 4508 3136 javaruntime.exe 106 PID 3136 wrote to memory of 4508 3136 javaruntime.exe 106 PID 3136 wrote to memory of 4508 3136 javaruntime.exe 106 PID 3136 wrote to memory of 4508 3136 javaruntime.exe 106 PID 3136 wrote to memory of 4508 3136 javaruntime.exe 106 PID 4508 wrote to memory of 4064 4508 javaruntime.exe 107 PID 4508 wrote to memory of 4064 4508 javaruntime.exe 107 PID 4508 wrote to memory of 4064 4508 javaruntime.exe 107 PID 4508 wrote to memory of 2984 4508 javaruntime.exe 108 PID 4508 wrote to memory of 2984 4508 javaruntime.exe 108 PID 4508 wrote to memory of 2984 4508 javaruntime.exe 108 PID 4508 wrote to memory of 3184 4508 javaruntime.exe 109 PID 4508 wrote to memory of 3184 4508 javaruntime.exe 109 PID 4508 wrote to memory of 3184 4508 javaruntime.exe 109 PID 4508 wrote to memory of 1968 4508 javaruntime.exe 110 PID 4508 wrote to memory of 1968 4508 javaruntime.exe 110 PID 4508 wrote to memory of 1968 4508 javaruntime.exe 110 PID 4064 wrote to memory of 4060 4064 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe"C:\Users\Admin\AppData\Local\Temp\dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe"C:\Users\Admin\AppData\Local\Temp\dc878d732bb3d91d563d1cd92590fc779d05158263d6461f694dbb1c69683ef1N.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MALBV.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaruntime" /t REG_SZ /d "C:\Windows\javaruntime.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1976
-
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:1612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 125⤵
- Program crash
PID:2620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 205⤵
- Program crash
PID:2676
-
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4832
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4284
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4468
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1612 -ip 16121⤵PID:1472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1612 -ip 16121⤵PID:4916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD5163f8e838efe1d166ffff7408b814e28
SHA152fa0ccba649587e7d24d21d182657078fa6d028
SHA256dc60287c419225759aa9e1ea0423be4106337dad71aaa0cdc9d55d2b1af3edb7
SHA512b6685390029555f7d812f0d1a9f138c619555712add3e79c1c90a1a5a0c544e4a86768a626d25c6af3cec09afc0bbaf7f398114e849831bdc5666fc443a1f68d
-
Filesize
405KB
MD54e2f9a735f0c94f48e1aa4b91de2d3ce
SHA12638738a0bd85c3c3509e810811192fa0ebaecc6
SHA256696abe4ad09e0fb27952adc03c53ba2b1b9c1fae10c9570bb6e71017be725fac
SHA51285fa5bf5d5f3e730db3d7ef930626bd842b4b418fdb24a184ff3e6a4d0d4921df8a80fffdf5523b027a813c7b8b3f4130e2f2c263e44ae328cb6fcc1f32e216d