f11292adfaac7bccdcb111d25e2423e4d5f5439724ce304995efea0ddb748daa

Analysis

max time kernel
119s
max time network
132s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe
Size

20.4MB
MD5

044f51347e293ac77de4cd47bdccbacf
SHA1

4c67777228575ac317c62855e6d9dd0a6da48c2d
SHA256

4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2
SHA512

f3976170a7f965f9674712904a0effc8383ea1a7ac5961a746b319d4659f52f82578b5adf4a0ca52f0434a896d310268ac7e40391fb0ea929a2482bb78aa0775
SSDEEP

393216:SiX7fx65E78eL1uwtkbZtqtQEt8+OIbyMl1PiT+KiSn7h6LPr8Y:bTxOEJuw+bP5krOIO3aKiSn7aPIY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp20decf5c428.exe62b24530.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exe

pid	process
2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
564	20decf5c428.exe
2608	62b24530.exe
1700	soiucosxz.exe
1160	soiucosxz.exe
1228	soiucosxz.exe
1604	soiucosxz.exe
1640	soiucosxz.exe
1280	soiucosxz.exe
1180	soiucosxz.exe

Loads dropped DLL 18 IoCs

Processes:

4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmpsoiucosxz.execmd.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exesoiucosxz.exe

pid	process
2336	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe
2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
1700	soiucosxz.exe
1700	soiucosxz.exe
1592	cmd.exe
1160	soiucosxz.exe
1160	soiucosxz.exe
1228	soiucosxz.exe
1604	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1280	soiucosxz.exe
1280	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

soiucosxz.exesoiucosxz.exe

description	ioc	process
File opened (read-only)	\??\T:	soiucosxz.exe
File opened (read-only)	\??\W:	soiucosxz.exe
File opened (read-only)	\??\M:	soiucosxz.exe
File opened (read-only)	\??\O:	soiucosxz.exe
File opened (read-only)	\??\S:	soiucosxz.exe
File opened (read-only)	\??\U:	soiucosxz.exe
File opened (read-only)	\??\X:	soiucosxz.exe
File opened (read-only)	\??\M:	soiucosxz.exe
File opened (read-only)	\??\O:	soiucosxz.exe
File opened (read-only)	\??\Z:	soiucosxz.exe
File opened (read-only)	\??\E:	soiucosxz.exe
File opened (read-only)	\??\H:	soiucosxz.exe
File opened (read-only)	\??\Y:	soiucosxz.exe
File opened (read-only)	\??\Z:	soiucosxz.exe
File opened (read-only)	\??\J:	soiucosxz.exe
File opened (read-only)	\??\K:	soiucosxz.exe
File opened (read-only)	\??\S:	soiucosxz.exe
File opened (read-only)	\??\G:	soiucosxz.exe
File opened (read-only)	\??\E:	soiucosxz.exe
File opened (read-only)	\??\N:	soiucosxz.exe
File opened (read-only)	\??\P:	soiucosxz.exe
File opened (read-only)	\??\R:	soiucosxz.exe
File opened (read-only)	\??\L:	soiucosxz.exe
File opened (read-only)	\??\R:	soiucosxz.exe
File opened (read-only)	\??\X:	soiucosxz.exe
File opened (read-only)	\??\Y:	soiucosxz.exe
File opened (read-only)	\??\I:	soiucosxz.exe
File opened (read-only)	\??\Q:	soiucosxz.exe
File opened (read-only)	\??\H:	soiucosxz.exe
File opened (read-only)	\??\B:	soiucosxz.exe
File opened (read-only)	\??\J:	soiucosxz.exe
File opened (read-only)	\??\K:	soiucosxz.exe
File opened (read-only)	\??\L:	soiucosxz.exe
File opened (read-only)	\??\N:	soiucosxz.exe
File opened (read-only)	\??\P:	soiucosxz.exe
File opened (read-only)	\??\T:	soiucosxz.exe
File opened (read-only)	\??\W:	soiucosxz.exe
File opened (read-only)	\??\B:	soiucosxz.exe
File opened (read-only)	\??\I:	soiucosxz.exe
File opened (read-only)	\??\Q:	soiucosxz.exe
File opened (read-only)	\??\U:	soiucosxz.exe
File opened (read-only)	\??\V:	soiucosxz.exe
File opened (read-only)	\??\V:	soiucosxz.exe
File opened (read-only)	\??\G:	soiucosxz.exe

Drops file in Windows directory 12 IoCs

Processes:

soiucosxz.exe

description	ioc	process
File created	C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe	soiucosxz.exe
File opened for modification	C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe	soiucosxz.exe
File created	C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\8FF3EF380313034D8D84BAF59.cat	soiucosxz.exe
File opened for modification	C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\8FF3EF380313034D8D84BAF59.cat	soiucosxz.exe
File opened for modification	C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\libcurl.dll	soiucosxz.exe
File created	C:\Windows\PJs1PjXazMjj\app-0.89.2\soiucosxz.exe	soiucosxz.exe
File opened for modification	C:\Windows\PJs1PjXazMjj\soiucosxz.exe	soiucosxz.exe
File opened for modification	C:\Windows\PJs1PjXazMjj\app-0.89.2\soiucosxz.exe	soiucosxz.exe
File created	C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\zlibwapi.dll	soiucosxz.exe
File opened for modification	C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\zlibwapi.dll	soiucosxz.exe
File created	C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\libcurl.dll	soiucosxz.exe
File created	C:\Windows\PJs1PjXazMjj\soiucosxz.exe	soiucosxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp20decf5c428.exe62b24530.exesoiucosxz.exesoiucosxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20decf5c428.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62b24530.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soiucosxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soiucosxz.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

soiucosxz.exesoiucosxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	soiucosxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	soiucosxz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	soiucosxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	soiucosxz.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmpsoiucosxz.exesoiucosxz.exesoiucosxz.exe

pid	process
2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1700	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1640	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe
1180	soiucosxz.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp

pid process

2344 4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmpcmd.exesoiucosxz.exesoiucosxz.execmd.exesoiucosxz.exe

description	pid	process	target process
PID 2336 wrote to memory of 2344	2336	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
PID 2336 wrote to memory of 2344	2336	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
PID 2336 wrote to memory of 2344	2336	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
PID 2336 wrote to memory of 2344	2336	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
PID 2336 wrote to memory of 2344	2336	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
PID 2336 wrote to memory of 2344	2336	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
PID 2336 wrote to memory of 2344	2336	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
PID 2344 wrote to memory of 564	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	20decf5c428.exe
PID 2344 wrote to memory of 564	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	20decf5c428.exe
PID 2344 wrote to memory of 564	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	20decf5c428.exe
PID 2344 wrote to memory of 564	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	20decf5c428.exe
PID 2344 wrote to memory of 2608	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	62b24530.exe
PID 2344 wrote to memory of 2608	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	62b24530.exe
PID 2344 wrote to memory of 2608	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	62b24530.exe
PID 2344 wrote to memory of 2608	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	62b24530.exe
PID 2344 wrote to memory of 1700	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	soiucosxz.exe
PID 2344 wrote to memory of 1700	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	soiucosxz.exe
PID 2344 wrote to memory of 1700	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	soiucosxz.exe
PID 2344 wrote to memory of 1700	2344	4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp	soiucosxz.exe
PID 1592 wrote to memory of 1160	1592	cmd.exe	soiucosxz.exe
PID 1592 wrote to memory of 1160	1592	cmd.exe	soiucosxz.exe
PID 1592 wrote to memory of 1160	1592	cmd.exe	soiucosxz.exe
PID 1228 wrote to memory of 1604	1228	soiucosxz.exe	soiucosxz.exe
PID 1228 wrote to memory of 1604	1228	soiucosxz.exe	soiucosxz.exe
PID 1228 wrote to memory of 1604	1228	soiucosxz.exe	soiucosxz.exe
PID 1228 wrote to memory of 1604	1228	soiucosxz.exe	soiucosxz.exe
PID 1604 wrote to memory of 1640	1604	soiucosxz.exe	soiucosxz.exe
PID 1604 wrote to memory of 1640	1604	soiucosxz.exe	soiucosxz.exe
PID 1604 wrote to memory of 1640	1604	soiucosxz.exe	soiucosxz.exe
PID 1604 wrote to memory of 1640	1604	soiucosxz.exe	soiucosxz.exe
PID 1576 wrote to memory of 1280	1576	cmd.exe	soiucosxz.exe
PID 1576 wrote to memory of 1280	1576	cmd.exe	soiucosxz.exe
PID 1576 wrote to memory of 1280	1576	cmd.exe	soiucosxz.exe
PID 1640 wrote to memory of 1180	1640	soiucosxz.exe	soiucosxz.exe
PID 1640 wrote to memory of 1180	1640	soiucosxz.exe	soiucosxz.exe
PID 1640 wrote to memory of 1180	1640	soiucosxz.exe	soiucosxz.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe
"C:\Users\Admin\AppData\Local\Temp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\is-454OQ.tmp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-454OQ.tmp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp" /SL5="$400F8,20366305,827392,C:\Users\Admin\AppData\Local\Temp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe
    "C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe" -pc0873f648e06c724 -y -o"C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:564
- - C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe
    "C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe" -p7fe04917 -y -o"C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\286131484395612415611209883\soiucosxz.exe
    "C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\soiucosxz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1700

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\soiucosxz.exe" 3aede031690535070f390095f2d2 1700 "C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\286131484395612415611209883\soiucosxz.exe
  "C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\soiucosxz.exe" 3aede031690535070f390095f2d2 1700 "C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1160

C:\Windows\PJs1PjXazMjj\soiucosxz.exe
"C:\Windows\PJs1PjXazMjj\soiucosxz.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\PJs1PjXazMjj\app-0.89.2\soiucosxz.exe
  "C:\Windows\PJs1PjXazMjj\app-0.89.2\soiucosxz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe
    "C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe
      "C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe" "bcbf6f4"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1180

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 1700 "C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\"
1⤵
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe
  "C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 1700 "C:\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\..\286131484395612415611209883\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AB819CA4478D450CF3B95B908C7AD475

Filesize
520B

MD5
8486170b36861fbb0362427c68cd3f60

SHA1
ebc554e099b48ebe104829efb33f8e7e122f370a

SHA256
271d935fd404a68596c00250561b2c28108fe5ef64be4c768e0ce0d825cfb4f6

SHA512
e917ba70c25115def0465e08fa9a101bcecbed1183d11d8cd988ad5e8ceb9826aee5543553a9e0a1bf1779bec191e4597a1b2c6681b58c223986ec77be11bf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\286131484395612415611209883\8FF3EF380313034D8D84BAF59.cat

Filesize
10.9MB

MD5
9ea898b2095b6f751b020c3e294f2482

SHA1
09380f3924a961c7899b4bfa5f5f91515f9221a5

SHA256
3c0a526440055c1140cd62d1942c5035bb378b99c6f48f7dec0207e4791fa8e1

SHA512
e6a01f7d5e45ad65988b81107f10c15bce37221ef1da1d890fe2d1453efc8c1c2b33fd5de6c51bd72e18e9286c0ff06bd55d7fe2f068324aa15b0d34353476c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\286131484395612415611209883\libcurl.dll

Filesize
556KB

MD5
6b2548cc404f3dd55634efa291fa98d0

SHA1
a076a60d99d70fd8aa7664a2534445a502febe27

SHA256
7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

SHA512
14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

Download Submit
C:\Users\Admin\AppData\Local\Temp\286131484395612415611209883\zlibwapi.dll

Filesize
3.1MB

MD5
4d05d940fa3851c6322f11463f76fb85

SHA1
5502f7bf7bdaed6861044cb34cff08656c963775

SHA256
01f062fa5f11aebf8c2cd57fc148c3b4b1a64e97dcf68194c0545361973d6e94

SHA512
5cf57118e70228afad77368277bd2fc8de71172d9317b44b2147e68dd8dcbfaf3dcc052fcdf430870484ef281ffddbeaef96a9d00acb8de29b0d03bba01ae34c

Download Submit
C:\Windows\PJs1PjXazMjj\app-0.89.2\app-0.89.2\zlibwapi.dll

Filesize
1.0MB

MD5
24cb34cacc6e1c539e58bd5cda620a29

SHA1
c6aaf4ce2b51ec487632b41d16b812cbf6b240d9

SHA256
5e4b57f8b3d39cc6f90e0e17b7d12d9f3eea67d1a1f2ee73c428c1388a7e65c3

SHA512
83d097955af0844280ee2b6df3173cb06275ed6be085089e2898cacedfc769c10c0870d2782f0180bec4f0c32c02b418b34a8082c29784393a3a4b7c8aa834ba

Download Submit
C:\Windows\PJs1PjXazMjj\soiucosxz.exe

Filesize
586KB

MD5
f6f6ff4e9b359bc005a25fadb3a0aa61

SHA1
831fe06ce2015e2d66467d04f2d46ec3e96524d3

SHA256
6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324

SHA512
db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14

Download Submit
\Users\Admin\AppData\Local\Temp\286131484395612415611209883\soiucosxz.exe

Filesize
2.2MB

MD5
6cf29dbf1fa710cccf6ba1c4c01f6b85

SHA1
a1debdb076c8c655e3d78c6ae82f1beba386a2ba

SHA256
f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

SHA512
ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

Download Submit
\Users\Admin\AppData\Local\Temp\is-3HE5O.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
\Users\Admin\AppData\Local\Temp\is-454OQ.tmp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp

Filesize
3.2MB

MD5
dc63a4763a59d647c3d0c4480eae0329

SHA1
8d687e717ace0d7d83a1eaa1c5b9eaec168744e7

SHA256
6b9ab11e1a2a79b1a3d211422ac1e603578e7bcaba2917747d57cf8bedac238f

SHA512
39069e76dee870831e1240315f61a9060920ab2de85d1fec0d789eee8882e204414e0934681132ebbc5322d674b068471043859ccbdb869fb62bfa6fc5b741eb

Download Submit
\Users\Admin\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe

Filesize
3.7MB

MD5
545274ea5d70ff8beb929cda02be53de

SHA1
b06f26c7cd5cda7bf1b8b04778dd157d1e499c35

SHA256
480c2895caee1029ed1160b69c68ca2838ca4fe113466d84dc8064ad28c012c2

SHA512
94924a8d39458bb57b6fe1a908b6e0796bbe6d4c6010505f185a7d89d057d73c707f4074b6589ba5b708bce2afb9f4dbaffd2ad482ff49e31cdf3c2e40dddfd1

Download Submit
\Users\Admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe

Filesize
14.9MB

MD5
cb8267b4b34f49626eaf67b562dc4c87

SHA1
45f12cdad060b99d52345c3174afb2a8014b67ab

SHA256
fa7fe6c1dec39e41f15135abb057aaa81d8c8aeee56dffda46abd2c0d9269643

SHA512
e8364be88e66e3978ddc4841fbada73ea052425a6b134cf96330d665d757dff21df6ab0d0f72b0feede792de2b59626dc5e132c8d22153fde28e32f9e135ddc7

Download Submit
memory/1160-73-0x0000000002DE0000-0x0000000003937000-memory.dmp

Filesize
11.3MB

Download
memory/1160-75-0x0000000002DE0000-0x0000000003937000-memory.dmp

Filesize
11.3MB

Download
memory/1180-137-0x0000000005E90000-0x0000000006103000-memory.dmp

Filesize
2.4MB

Download
memory/1180-130-0x0000000004050000-0x0000000004BA7000-memory.dmp

Filesize
11.3MB

Download
memory/1180-120-0x000007FEF7640000-0x000007FEF7748000-memory.dmp

Filesize
1.0MB

Download
memory/1180-132-0x0000000004050000-0x0000000004BA7000-memory.dmp

Filesize
11.3MB

Download
memory/1180-134-0x0000000004050000-0x0000000004BA7000-memory.dmp

Filesize
11.3MB

Download
memory/1180-136-0x0000000005E90000-0x0000000006103000-memory.dmp

Filesize
2.4MB

Download
memory/1180-139-0x0000000005E90000-0x0000000006103000-memory.dmp

Filesize
2.4MB

Download
memory/1280-124-0x0000000002EE0000-0x0000000003A37000-memory.dmp

Filesize
11.3MB

Download
memory/1280-122-0x0000000002EE0000-0x0000000003A37000-memory.dmp

Filesize
11.3MB

Download
memory/1280-109-0x000007FEF7640000-0x000007FEF7748000-memory.dmp

Filesize
1.0MB

Download
memory/1640-114-0x0000000002D80000-0x00000000038D7000-memory.dmp

Filesize
11.3MB

Download
memory/1640-112-0x0000000002D80000-0x00000000038D7000-memory.dmp

Filesize
11.3MB

Download
memory/1640-103-0x000007FEF7640000-0x000007FEF7748000-memory.dmp

Filesize
1.0MB

Download
memory/1700-54-0x00000000021B0000-0x0000000002C9B000-memory.dmp

Filesize
10.9MB

Download
memory/1700-69-0x0000000005CD0000-0x0000000005F43000-memory.dmp

Filesize
2.4MB

Download
memory/1700-68-0x0000000005CD0000-0x0000000005F43000-memory.dmp

Filesize
2.4MB

Download
memory/1700-57-0x00000000042F0000-0x0000000004E47000-memory.dmp

Filesize
11.3MB

Download
memory/1700-126-0x0000000005CD0000-0x0000000005F43000-memory.dmp

Filesize
2.4MB

Download
memory/1700-56-0x00000000042F0000-0x0000000004E47000-memory.dmp

Filesize
11.3MB

Download
memory/1700-71-0x0000000005CD0000-0x0000000005F43000-memory.dmp

Filesize
2.4MB

Download
memory/2336-0-0x0000000000100000-0x00000000001D8000-memory.dmp

Filesize
864KB

Download
memory/2336-52-0x0000000000100000-0x00000000001D8000-memory.dmp

Filesize
864KB

Download
memory/2336-2-0x0000000000101000-0x00000000001A9000-memory.dmp

Filesize
672KB

Download
memory/2344-50-0x00000000000D0000-0x0000000000407000-memory.dmp

Filesize
3.2MB

Download
memory/2344-12-0x00000000000D0000-0x0000000000407000-memory.dmp

Filesize
3.2MB

Download