2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe
Size

31.3MB
MD5

c7d41ab0010d16a148b032181ec6647d
SHA1

1caa54814b72de04291ac5b90e22295c1b24db4d
SHA256

2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a
SHA512

129445debf1b1bf3972df64faca2f52b214cc3f1834b2db96c9cce62cf3ec9bf648c06aedc99d025fecbfe36cedb3637cab544c4267553063b1de2987f3e18dc
SSDEEP

786432:zO2PsT1ywB80O57/Y8sqa7FV1xX6Oq6UXirV9Md8Ww:zO2PsRywB8j5sAapvxXTamCtw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 13 IoCs

Processes:

2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp7c482eef2.exe1d776d1b.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exe

pid	process
1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
2460	7c482eef2.exe
1984	1d776d1b.exe
2204	soiucosxz.exe
688	soiucosxz.exe
2124	soiucosxz.exe
1052	soiucosxz.exe
444	soiucosxz.exe
1352	soiucosxz.exe
1380	soiucosxz.exe
3028	soiucosxz.exe
2744	soiucosxz.exe
2828	soiucosxz.exe

Loads dropped DLL 20 IoCs

Processes:

2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmpsoiucosxz.execmd.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exe

pid	process
1952	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe
1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
2204	soiucosxz.exe
2204	soiucosxz.exe
1036	cmd.exe
688	soiucosxz.exe
688	soiucosxz.exe
2124	soiucosxz.exe
1052	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
1352	soiucosxz.exe
1352	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
2828	soiucosxz.exe
2828	soiucosxz.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

soiucosxz.exesoiucosxz.exe

description	ioc	process
File opened (read-only)	\??\G:	soiucosxz.exe
File opened (read-only)	\??\O:	soiucosxz.exe
File opened (read-only)	\??\R:	soiucosxz.exe
File opened (read-only)	\??\Z:	soiucosxz.exe
File opened (read-only)	\??\H:	soiucosxz.exe
File opened (read-only)	\??\P:	soiucosxz.exe
File opened (read-only)	\??\E:	soiucosxz.exe
File opened (read-only)	\??\I:	soiucosxz.exe
File opened (read-only)	\??\I:	soiucosxz.exe
File opened (read-only)	\??\Q:	soiucosxz.exe
File opened (read-only)	\??\M:	soiucosxz.exe
File opened (read-only)	\??\T:	soiucosxz.exe
File opened (read-only)	\??\Y:	soiucosxz.exe
File opened (read-only)	\??\B:	soiucosxz.exe
File opened (read-only)	\??\N:	soiucosxz.exe
File opened (read-only)	\??\B:	soiucosxz.exe
File opened (read-only)	\??\V:	soiucosxz.exe
File opened (read-only)	\??\W:	soiucosxz.exe
File opened (read-only)	\??\G:	soiucosxz.exe
File opened (read-only)	\??\L:	soiucosxz.exe
File opened (read-only)	\??\Y:	soiucosxz.exe
File opened (read-only)	\??\Z:	soiucosxz.exe
File opened (read-only)	\??\Q:	soiucosxz.exe
File opened (read-only)	\??\U:	soiucosxz.exe
File opened (read-only)	\??\X:	soiucosxz.exe
File opened (read-only)	\??\K:	soiucosxz.exe
File opened (read-only)	\??\O:	soiucosxz.exe
File opened (read-only)	\??\S:	soiucosxz.exe
File opened (read-only)	\??\V:	soiucosxz.exe
File opened (read-only)	\??\X:	soiucosxz.exe
File opened (read-only)	\??\J:	soiucosxz.exe
File opened (read-only)	\??\N:	soiucosxz.exe
File opened (read-only)	\??\P:	soiucosxz.exe
File opened (read-only)	\??\T:	soiucosxz.exe
File opened (read-only)	\??\E:	soiucosxz.exe
File opened (read-only)	\??\J:	soiucosxz.exe
File opened (read-only)	\??\U:	soiucosxz.exe
File opened (read-only)	\??\W:	soiucosxz.exe
File opened (read-only)	\??\H:	soiucosxz.exe
File opened (read-only)	\??\K:	soiucosxz.exe
File opened (read-only)	\??\L:	soiucosxz.exe
File opened (read-only)	\??\M:	soiucosxz.exe
File opened (read-only)	\??\S:	soiucosxz.exe
File opened (read-only)	\??\R:	soiucosxz.exe

Drops file in Windows directory 12 IoCs

Processes:

soiucosxz.exe

description	ioc	process
File created	C:\Windows\yODKBoGrgBBK\app-0.89.2\soiucosxz.exe	soiucosxz.exe
File opened for modification	C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe	soiucosxz.exe
File created	C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\8FF3EF380313034D8D84BAF59.cat	soiucosxz.exe
File opened for modification	C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\8FF3EF380313034D8D84BAF59.cat	soiucosxz.exe
File created	C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\zlibwapi.dll	soiucosxz.exe
File opened for modification	C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\zlibwapi.dll	soiucosxz.exe
File opened for modification	C:\Windows\yODKBoGrgBBK\soiucosxz.exe	soiucosxz.exe
File opened for modification	C:\Windows\yODKBoGrgBBK\app-0.89.2\soiucosxz.exe	soiucosxz.exe
File created	C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe	soiucosxz.exe
File created	C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\libcurl.dll	soiucosxz.exe
File opened for modification	C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\libcurl.dll	soiucosxz.exe
File created	C:\Windows\yODKBoGrgBBK\soiucosxz.exe	soiucosxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp7c482eef2.exe1d776d1b.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c482eef2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d776d1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soiucosxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soiucosxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soiucosxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soiucosxz.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

soiucosxz.exesoiucosxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	soiucosxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	soiucosxz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	soiucosxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	soiucosxz.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmpsoiucosxz.exesoiucosxz.exesoiucosxz.exe

pid	process
1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
2204	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
444	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe
1380	soiucosxz.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp

pid process

1932 2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmpcmd.exesoiucosxz.exesoiucosxz.execmd.exesoiucosxz.exetaskeng.exesoiucosxz.exesoiucosxz.exe

description	pid	process	target process
PID 1952 wrote to memory of 1932	1952	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
PID 1952 wrote to memory of 1932	1952	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
PID 1952 wrote to memory of 1932	1952	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
PID 1952 wrote to memory of 1932	1952	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
PID 1952 wrote to memory of 1932	1952	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
PID 1952 wrote to memory of 1932	1952	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
PID 1952 wrote to memory of 1932	1952	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
PID 1932 wrote to memory of 2460	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	7c482eef2.exe
PID 1932 wrote to memory of 2460	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	7c482eef2.exe
PID 1932 wrote to memory of 2460	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	7c482eef2.exe
PID 1932 wrote to memory of 2460	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	7c482eef2.exe
PID 1932 wrote to memory of 1984	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	1d776d1b.exe
PID 1932 wrote to memory of 1984	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	1d776d1b.exe
PID 1932 wrote to memory of 1984	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	1d776d1b.exe
PID 1932 wrote to memory of 1984	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	1d776d1b.exe
PID 1932 wrote to memory of 2204	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	soiucosxz.exe
PID 1932 wrote to memory of 2204	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	soiucosxz.exe
PID 1932 wrote to memory of 2204	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	soiucosxz.exe
PID 1932 wrote to memory of 2204	1932	2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp	soiucosxz.exe
PID 1036 wrote to memory of 688	1036	cmd.exe	soiucosxz.exe
PID 1036 wrote to memory of 688	1036	cmd.exe	soiucosxz.exe
PID 1036 wrote to memory of 688	1036	cmd.exe	soiucosxz.exe
PID 2124 wrote to memory of 1052	2124	soiucosxz.exe	soiucosxz.exe
PID 2124 wrote to memory of 1052	2124	soiucosxz.exe	soiucosxz.exe
PID 2124 wrote to memory of 1052	2124	soiucosxz.exe	soiucosxz.exe
PID 2124 wrote to memory of 1052	2124	soiucosxz.exe	soiucosxz.exe
PID 1052 wrote to memory of 444	1052	soiucosxz.exe	soiucosxz.exe
PID 1052 wrote to memory of 444	1052	soiucosxz.exe	soiucosxz.exe
PID 1052 wrote to memory of 444	1052	soiucosxz.exe	soiucosxz.exe
PID 1052 wrote to memory of 444	1052	soiucosxz.exe	soiucosxz.exe
PID 684 wrote to memory of 1352	684	cmd.exe	soiucosxz.exe
PID 684 wrote to memory of 1352	684	cmd.exe	soiucosxz.exe
PID 684 wrote to memory of 1352	684	cmd.exe	soiucosxz.exe
PID 444 wrote to memory of 1380	444	soiucosxz.exe	soiucosxz.exe
PID 444 wrote to memory of 1380	444	soiucosxz.exe	soiucosxz.exe
PID 444 wrote to memory of 1380	444	soiucosxz.exe	soiucosxz.exe
PID 1864 wrote to memory of 3028	1864	taskeng.exe	soiucosxz.exe
PID 1864 wrote to memory of 3028	1864	taskeng.exe	soiucosxz.exe
PID 1864 wrote to memory of 3028	1864	taskeng.exe	soiucosxz.exe
PID 1864 wrote to memory of 3028	1864	taskeng.exe	soiucosxz.exe
PID 3028 wrote to memory of 2744	3028	soiucosxz.exe	soiucosxz.exe
PID 3028 wrote to memory of 2744	3028	soiucosxz.exe	soiucosxz.exe
PID 3028 wrote to memory of 2744	3028	soiucosxz.exe	soiucosxz.exe
PID 3028 wrote to memory of 2744	3028	soiucosxz.exe	soiucosxz.exe
PID 2744 wrote to memory of 2828	2744	soiucosxz.exe	soiucosxz.exe
PID 2744 wrote to memory of 2828	2744	soiucosxz.exe	soiucosxz.exe
PID 2744 wrote to memory of 2828	2744	soiucosxz.exe	soiucosxz.exe
PID 2744 wrote to memory of 2828	2744	soiucosxz.exe	soiucosxz.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe
"C:\Users\Admin\AppData\Local\Temp\2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\is-BK6LD.tmp\2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BK6LD.tmp\2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp" /SL5="$40016,31822156,823808,C:\Users\Admin\AppData\Local\Temp\2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Roaming\807a338fc\7c482eef2.exe
    "C:\Users\Admin\AppData\Roaming\807a338fc\7c482eef2.exe" -p3fe9b3db2fb4e3 -y -o"C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2460
- - C:\Users\Admin\AppData\Roaming\807a338fc\1d776d1b.exe
    "C:\Users\Admin\AppData\Roaming\807a338fc\1d776d1b.exe" -p8c4c3197b2ed -y -o"C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\8759028512228695611836565\soiucosxz.exe
    "C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\soiucosxz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2204

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\soiucosxz.exe" 3aede031690535070f390095f2d2 2204 "C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\8759028512228695611836565\soiucosxz.exe
  "C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\soiucosxz.exe" 3aede031690535070f390095f2d2 2204 "C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:688

C:\Windows\yODKBoGrgBBK\soiucosxz.exe
"C:\Windows\yODKBoGrgBBK\soiucosxz.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\yODKBoGrgBBK\app-0.89.2\soiucosxz.exe
  "C:\Windows\yODKBoGrgBBK\app-0.89.2\soiucosxz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe
    "C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe
      "C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe" "bcbf6f4"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1380

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 2204 "C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\"
1⤵
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe
  "C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 2204 "C:\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\..\8759028512228695611836565\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1352

C:\Windows\system32\taskeng.exe
taskeng.exe {33C87E4C-FD8A-47D7-80E3-1D6EF91238DC} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\yODKBoGrgBBK\soiucosxz.exe
  C:\Windows\yODKBoGrgBBK\soiucosxz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\yODKBoGrgBBK\app-0.89.2\soiucosxz.exe
    "C:\Windows\yODKBoGrgBBK\app-0.89.2\soiucosxz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe
      "C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\soiucosxz.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AB819CA4478D450CF3B95B908C7AD475

Filesize
520B

MD5
9a59af11841ab4aebfaae428f1a7c7b3

SHA1
83d7d8e6273c7d93296b053298aa75655dd381e3

SHA256
d68e6584ccd68f0b6509d7181e35ed4c0a21aa9e86bb90cea6315be3b16ba0ee

SHA512
c04a74de4963012b13423a71002849b0e8906089d04b9a7171b2185784598595c84d0cd5cf255a5143bf1c01fcec66678c714020cc506c7196240ccb4c2e0565

Download Submit
C:\Users\Admin\AppData\Local\Temp\8759028512228695611836565\8FF3EF380313034D8D84BAF59.cat

Filesize
10.9MB

MD5
9ea898b2095b6f751b020c3e294f2482

SHA1
09380f3924a961c7899b4bfa5f5f91515f9221a5

SHA256
3c0a526440055c1140cd62d1942c5035bb378b99c6f48f7dec0207e4791fa8e1

SHA512
e6a01f7d5e45ad65988b81107f10c15bce37221ef1da1d890fe2d1453efc8c1c2b33fd5de6c51bd72e18e9286c0ff06bd55d7fe2f068324aa15b0d34353476c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8759028512228695611836565\zlibwapi.dll

Filesize
3.1MB

MD5
4d05d940fa3851c6322f11463f76fb85

SHA1
5502f7bf7bdaed6861044cb34cff08656c963775

SHA256
01f062fa5f11aebf8c2cd57fc148c3b4b1a64e97dcf68194c0545361973d6e94

SHA512
5cf57118e70228afad77368277bd2fc8de71172d9317b44b2147e68dd8dcbfaf3dcc052fcdf430870484ef281ffddbeaef96a9d00acb8de29b0d03bba01ae34c

Download Submit
C:\Users\Admin\AppData\Roaming\807a338fc\1d776d1b.exe

Filesize
14.9MB

MD5
2fb24df18e2861be07492281bec9f484

SHA1
273af996154ae600737467bea46cb6c7b07d2852

SHA256
a93bf79ed9e71079c3e54d795ef5046d2ac05cf332683a4f1dd90a8e3201072c

SHA512
14367623cf8ea957b4ffe0771c24f3eba4f5192d5b085768d4706781571df892247c54251ab0142e7a033e46bdab469c8ab57710d4188c621dee9423369c6b07

Download Submit
C:\Users\Admin\AppData\Roaming\807a338fc\7c482eef2.exe

Filesize
14.8MB

MD5
96954ca0f0e275060d6d868947973758

SHA1
ddbbeb20801719d110459eb39cc6e3cd7acf4bc9

SHA256
5e2c60eda616cc327c8b54973802677471ccf2ea20b6565b70182d9e28f1df07

SHA512
60d5c5a15f44cd787b809f82edb5f069197911f07ea2bba2f78c76294092d64e99e55d9d55912a148ea1296f2dd63d798f1baf54432776568731dced61edb33d

Download Submit
C:\Windows\yODKBoGrgBBK\app-0.89.2\app-0.89.2\zlibwapi.dll

Filesize
1.0MB

MD5
24cb34cacc6e1c539e58bd5cda620a29

SHA1
c6aaf4ce2b51ec487632b41d16b812cbf6b240d9

SHA256
5e4b57f8b3d39cc6f90e0e17b7d12d9f3eea67d1a1f2ee73c428c1388a7e65c3

SHA512
83d097955af0844280ee2b6df3173cb06275ed6be085089e2898cacedfc769c10c0870d2782f0180bec4f0c32c02b418b34a8082c29784393a3a4b7c8aa834ba

Download Submit
C:\Windows\yODKBoGrgBBK\soiucosxz.exe

Filesize
586KB

MD5
f6f6ff4e9b359bc005a25fadb3a0aa61

SHA1
831fe06ce2015e2d66467d04f2d46ec3e96524d3

SHA256
6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324

SHA512
db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14

Download Submit
\Users\Admin\AppData\Local\Temp\8759028512228695611836565\libcurl.dll

Filesize
556KB

MD5
6b2548cc404f3dd55634efa291fa98d0

SHA1
a076a60d99d70fd8aa7664a2534445a502febe27

SHA256
7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

SHA512
14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

Download Submit
\Users\Admin\AppData\Local\Temp\8759028512228695611836565\soiucosxz.exe

Filesize
2.2MB

MD5
6cf29dbf1fa710cccf6ba1c4c01f6b85

SHA1
a1debdb076c8c655e3d78c6ae82f1beba386a2ba

SHA256
f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

SHA512
ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

Download Submit
\Users\Admin\AppData\Local\Temp\is-BK6LD.tmp\2e344b4d1a3027208b184ea08b2cda0292c466dae194574d6d55de5b3a5ee96a.tmp

Filesize
3.2MB

MD5
9b79bdccec683275f9527bb2aaaf0999

SHA1
52d087eec95fb4b224609559d63720e05b178156

SHA256
ee67d5a36a7bcb20aca3a8688ea5a07652575a1febf6c7708ab266cbc72747d7

SHA512
47979febaf20f40ee0734f34d159e1056a66c6d445637241213de666cfe4d181fa7194cd6b567ac3aefcf36489314a0493f087fb2440debe926f0e8d7f734989

Download Submit
\Users\Admin\AppData\Local\Temp\is-GABEA.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/444-113-0x00000000030C0000-0x0000000003C17000-memory.dmp

Filesize
11.3MB

Download
memory/444-102-0x000007FEF67E0000-0x000007FEF68E8000-memory.dmp

Filesize
1.0MB

Download
memory/444-111-0x00000000030C0000-0x0000000003C17000-memory.dmp

Filesize
11.3MB

Download
memory/688-74-0x0000000002F20000-0x0000000003A77000-memory.dmp

Filesize
11.3MB

Download
memory/688-72-0x0000000002F20000-0x0000000003A77000-memory.dmp

Filesize
11.3MB

Download
memory/1352-108-0x000007FEF67E0000-0x000007FEF68E8000-memory.dmp

Filesize
1.0MB

Download
memory/1352-123-0x0000000002F20000-0x0000000003A77000-memory.dmp

Filesize
11.3MB

Download
memory/1380-133-0x0000000004200000-0x0000000004D57000-memory.dmp

Filesize
11.3MB

Download
memory/1380-131-0x0000000004200000-0x0000000004D57000-memory.dmp

Filesize
11.3MB

Download
memory/1380-135-0x0000000005D00000-0x0000000005F73000-memory.dmp

Filesize
2.4MB

Download
memory/1380-129-0x0000000004200000-0x0000000004D57000-memory.dmp

Filesize
11.3MB

Download
memory/1380-119-0x000007FEF67E0000-0x000007FEF68E8000-memory.dmp

Filesize
1.0MB

Download
memory/1380-138-0x0000000005D00000-0x0000000005F73000-memory.dmp

Filesize
2.4MB

Download
memory/1380-136-0x0000000005D00000-0x0000000005F73000-memory.dmp

Filesize
2.4MB

Download
memory/1932-49-0x0000000000850000-0x0000000000B86000-memory.dmp

Filesize
3.2MB

Download
memory/1932-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-2-0x0000000000E71000-0x0000000000F19000-memory.dmp

Filesize
672KB

Download
memory/1952-0-0x0000000000E70000-0x0000000000F47000-memory.dmp

Filesize
860KB

Download
memory/1952-51-0x0000000000E70000-0x0000000000F47000-memory.dmp

Filesize
860KB

Download
memory/2204-70-0x00000000059C0000-0x0000000005C33000-memory.dmp

Filesize
2.4MB

Download
memory/2204-126-0x00000000059C0000-0x0000000005C33000-memory.dmp

Filesize
2.4MB

Download
memory/2204-68-0x00000000059C0000-0x0000000005C33000-memory.dmp

Filesize
2.4MB

Download
memory/2204-67-0x00000000059C0000-0x0000000005C33000-memory.dmp

Filesize
2.4MB

Download
memory/2204-57-0x00000000040B0000-0x0000000004C07000-memory.dmp

Filesize
11.3MB

Download
memory/2204-54-0x00000000040B0000-0x0000000004C07000-memory.dmp

Filesize
11.3MB

Download
memory/2204-53-0x0000000001F70000-0x0000000002A5B000-memory.dmp

Filesize
10.9MB

Download
memory/2828-146-0x000007FEF67E0000-0x000007FEF68E8000-memory.dmp

Filesize
1.0MB

Download