Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:56
Static task
static1
Behavioral task
behavioral1
Sample
c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/kymographs.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/kymographs.dll
Resource
win10v2004-20241007-en
General
-
Target
c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
-
Size
119KB
-
MD5
9643154395cef6ad892847d9d1806756
-
SHA1
9be8440a9c34a60b58410b93bcff09b76a9d9bbf
-
SHA256
c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f
-
SHA512
9811c24d3ad44ca7079411103d4dd0a127d46db8cd22cca28b1b384273d63dedc6e6068e82cb6c8b53ceb5f31308d525709a4431a8e9c5126df79d57875236c8
-
SSDEEP
3072:2DQkrZoosbIfXJGWJGYvjKSFzPnqFR7Xe1ya+dLT:2DpoejJfm6zv2a1ya+pT
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuauclt.exe" c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuauclt.exe" c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4060 netsh.exe -
Loads dropped DLL 1 IoCs
pid Process 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*MediaMangr0 = "\"C:\\ProgramData\\MediaMangr0\\dwm.exe\"" c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 = "awmv.61776D77vmwavboxqemuVMwarevmwarevirtualxen" c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Firewall.cpl c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe File opened for modification C:\Windows\SysWOW64\FirewallAPI.dll c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe File created C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe File opened for modification C:\Windows\SysWOW64\rstrui.exe c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe File opened for modification C:\Windows\SysWOW64\mmc.exe c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe File created C:\Windows\SysWOW64\mmc.exe:Zone.Identifier c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3052 set thread context of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 -
resource yara_rule behavioral2/memory/4012-6-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/4012-11-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/4012-13-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/4012-17-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/4012-18-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/4012-19-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/4012-116-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3828 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0009000000023cb0-21.dat nsis_installer_1 behavioral2/files/0x0009000000023cb0-21.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3052 wrote to memory of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 PID 3052 wrote to memory of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 PID 3052 wrote to memory of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 PID 3052 wrote to memory of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 PID 3052 wrote to memory of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 PID 3052 wrote to memory of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 PID 3052 wrote to memory of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 PID 3052 wrote to memory of 4012 3052 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 86 PID 4012 wrote to memory of 3828 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 87 PID 4012 wrote to memory of 3828 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 87 PID 4012 wrote to memory of 3828 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 87 PID 4012 wrote to memory of 4060 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 88 PID 4012 wrote to memory of 4060 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 88 PID 4012 wrote to memory of 4060 4012 c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"2⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\sc.exesc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3828
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe firewall set opmode mode=disable profile=all3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4060
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD59643154395cef6ad892847d9d1806756
SHA19be8440a9c34a60b58410b93bcff09b76a9d9bbf
SHA256c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f
SHA5129811c24d3ad44ca7079411103d4dd0a127d46db8cd22cca28b1b384273d63dedc6e6068e82cb6c8b53ceb5f31308d525709a4431a8e9c5126df79d57875236c8
-
Filesize
66KB
MD542e4078c829a2e1d2734b0033847d2cc
SHA15f0279f9190c168d345e024f1e4b8739aec63cfc
SHA2564cb8de133b9d26ba4d41ed9b4bae121e4b86760805d89f97331e2b5cbb4670b2
SHA51256be830839f3a728cf844c1656a3cad1aed77d71754d5350b7133f4b02e5c947bcae5be23d7668f13255779ed8e51cc3001b831c76d777cb9e88343d23c093f2