e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

Analysis

max time kernel
300s
max time network
304s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
Size

320KB
MD5

222bdee5eca9fb8fe2a66f9f9c363c73
SHA1

dd361bed6888f6b59db8f579d589ea89598fab23
SHA256

00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a
SHA512

4a8979354b8c4eb32ac4e62ae3f5bf1dc61a2925e6a9c7e27074b301fe3dd8791b594bbc05adad735deb8bdcdf7b9e476969125903acd1c1af2c6d2863ee5010
SSDEEP

6144:skldreTgLp61fV1MQNA0m2MyqmQ6gl+bn0eGWZhHpIE1FUQZCa:HdSTgLp61frpAbyHrD0fWtIGKQd

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\ProgramData\\odtacp\\pgpiv.exe,explorer.exe"	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2300 cmd.exe

pid	process
2300	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\85jrj = "C:\\ProgramData\\qfm\\hcrod.exe"	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exesvchost.execmd.exeattrib.exe00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exesvchost.exewmiprvse.exe

pid process

2964 svchost.exe
2884 svchost.exe
2884 svchost.exe
2964 svchost.exe
2964 svchost.exe
1976 wmiprvse.exe
1976 wmiprvse.exe
2964 svchost.exe

pid	process
2964	svchost.exe
2884	svchost.exe
2884	svchost.exe
2964	svchost.exe
2964	svchost.exe
1976	wmiprvse.exe
1976	wmiprvse.exe
2964	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exesvchost.exe

pid	process
2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
2884	svchost.exe
2884	svchost.exe
2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2964	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAuditPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

svchost.exeExplorer.EXE

pid process

2884 svchost.exe
1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

svchost.exeExplorer.EXE

pid process

2884 svchost.exe
1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of UnmapMainImage 5 IoCs

Processes:

smss.exesvchost.exeOSPPSVC.EXE

pid process

256 smss.exe
808 svchost.exe
808 svchost.exe
808 svchost.exe
2008 OSPPSVC.EXE

pid	process
2884	svchost.exe
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
2884	svchost.exe
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
256	smss.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
2008	OSPPSVC.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exesvchost.exesvchost.execsrss.exe

description	pid	process	target process
PID 2480 wrote to memory of 1652	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	splwow64.exe
PID 2480 wrote to memory of 1652	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	splwow64.exe
PID 2480 wrote to memory of 1652	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	splwow64.exe
PID 2480 wrote to memory of 1652	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	splwow64.exe
PID 2480 wrote to memory of 2884	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	svchost.exe
PID 2480 wrote to memory of 2884	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	svchost.exe
PID 2480 wrote to memory of 2884	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	svchost.exe
PID 2480 wrote to memory of 2884	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	svchost.exe
PID 2884 wrote to memory of 2964	2884	svchost.exe	svchost.exe
PID 2884 wrote to memory of 2964	2884	svchost.exe	svchost.exe
PID 2884 wrote to memory of 2964	2884	svchost.exe	svchost.exe
PID 2884 wrote to memory of 2964	2884	svchost.exe	svchost.exe
PID 2964 wrote to memory of 256	2964	svchost.exe	smss.exe
PID 2964 wrote to memory of 332	2964	svchost.exe	csrss.exe
PID 2964 wrote to memory of 380	2964	svchost.exe	wininit.exe
PID 2964 wrote to memory of 388	2964	svchost.exe	csrss.exe
PID 2964 wrote to memory of 428	2964	svchost.exe	winlogon.exe
PID 2964 wrote to memory of 472	2964	svchost.exe	services.exe
PID 2964 wrote to memory of 488	2964	svchost.exe	lsass.exe
PID 2964 wrote to memory of 496	2964	svchost.exe	lsm.exe
PID 2964 wrote to memory of 592	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 668	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 740	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 808	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 844	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 960	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 236	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 340	2964	svchost.exe	spoolsv.exe
PID 2964 wrote to memory of 1064	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 1104	2964	svchost.exe	taskhost.exe
PID 2964 wrote to memory of 1152	2964	svchost.exe	Dwm.exe
PID 2964 wrote to memory of 1196	2964	svchost.exe	Explorer.EXE
PID 2964 wrote to memory of 2008	2964	svchost.exe	OSPPSVC.EXE
PID 2964 wrote to memory of 1240	2964	svchost.exe	wmiprvse.exe
PID 2964 wrote to memory of 836	2964	svchost.exe	DllHost.exe
PID 2964 wrote to memory of 2976	2964	svchost.exe	svchost.exe
PID 2964 wrote to memory of 2064	2964	svchost.exe	sppsvc.exe
PID 2964 wrote to memory of 3004	2964	svchost.exe	WMIADAP.EXE
PID 2964 wrote to memory of 1652	2964	svchost.exe	splwow64.exe
PID 388 wrote to memory of 896	388	csrss.exe	svchost.exe
PID 388 wrote to memory of 896	388	csrss.exe	svchost.exe
PID 388 wrote to memory of 896	388	csrss.exe	svchost.exe
PID 388 wrote to memory of 896	388	csrss.exe	svchost.exe
PID 2480 wrote to memory of 896	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	svchost.exe
PID 2480 wrote to memory of 896	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	svchost.exe
PID 2480 wrote to memory of 896	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	svchost.exe
PID 2480 wrote to memory of 896	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	svchost.exe
PID 388 wrote to memory of 2480	388	csrss.exe	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
PID 388 wrote to memory of 2480	388	csrss.exe	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
PID 388 wrote to memory of 2300	388	csrss.exe	cmd.exe
PID 388 wrote to memory of 2300	388	csrss.exe	cmd.exe
PID 388 wrote to memory of 2300	388	csrss.exe	cmd.exe
PID 388 wrote to memory of 2300	388	csrss.exe	cmd.exe
PID 2480 wrote to memory of 2300	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	cmd.exe
PID 2480 wrote to memory of 2300	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	cmd.exe
PID 2480 wrote to memory of 2300	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	cmd.exe
PID 2480 wrote to memory of 2300	2480	00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe	cmd.exe
PID 388 wrote to memory of 2520	388	csrss.exe	conhost.exe
PID 388 wrote to memory of 2520	388	csrss.exe	conhost.exe
PID 388 wrote to memory of 2520	388	csrss.exe	conhost.exe
PID 388 wrote to memory of 3068	388	csrss.exe	attrib.exe
PID 388 wrote to memory of 3068	388	csrss.exe	attrib.exe
PID 388 wrote to memory of 3068	388	csrss.exe	attrib.exe
PID 388 wrote to memory of 3068	388	csrss.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3068 attrib.exe

pid	process
3068	attrib.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
- Suspicious use of UnmapMainImage
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1240
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:836
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:668
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    - Modifies security service
    PID:740
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    - Suspicious use of UnmapMainImage
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1152
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:844
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:3004
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:236
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:340
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1064
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1104
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    - Suspicious use of UnmapMainImage
    PID:2008
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2976
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2064
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-15490498591910626176-746362748553126501822590363-14312520927438850191301285330"
  2⤵
  PID:2520

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
- C:\Users\Admin\AppData\Local\Temp\00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
  "C:\Users\Admin\AppData\Local\Temp\00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1652
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\syswow64\svchost.exe
      C:\Windows\syswow64\svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2964
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ndyMp6tLLAt.bat" 00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h 00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ati\dqtmkp.sku

Filesize
15KB

MD5
7b58abff2c209b0075d6c7dc308a27a1

SHA1
f9d1ba6c4bed49e1624d484f5e5c0247a497b4af

SHA256
0706a7292dd0f0ef5fde1695f89d02bef72b58215cb3137d029f14c71f16b0e3

SHA512
bbcff10b4df264acc3fc46cb3b11087b4e7ce9732a37cffd5457531a8a09a9975c7f60f83d0d76cf4e5ff79e8245b388d8acc5ffb39a030d2b613334ae143be4

Download Submit
C:\ProgramData\odtacp\pgpiv.exe

Filesize
320KB

MD5
222bdee5eca9fb8fe2a66f9f9c363c73

SHA1
dd361bed6888f6b59db8f579d589ea89598fab23

SHA256
00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a

SHA512
4a8979354b8c4eb32ac4e62ae3f5bf1dc61a2925e6a9c7e27074b301fe3dd8791b594bbc05adad735deb8bdcdf7b9e476969125903acd1c1af2c6d2863ee5010

Download Submit
C:\ProgramData\rhswas\ggvwdjq.fdf

Filesize
348KB

MD5
84e5783c2aac2663445a3e580652fcf0

SHA1
d8180208ebf94d1b3562a507c4f2ac097c76f724

SHA256
14a1bf27d293b17bfe83d36dab595b80d2c53987d525f17cef64029f6a2a6add

SHA512
57f922664c691a8eae1c15214d72c6624d52c7ff1acdf9b1d995201bfa905a53cecb8047b8595afb62cb772826b55dc353bfd654327bcf94b2f9eb277bdc69a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ndyMp6tLLAt.bat

Filesize
74B

MD5
f488b5df4ab36b2fa1c78c041f5a433c

SHA1
fe8b77ce17a48de7d7e6f7bfe7b8411701ebb12f

SHA256
ce0e7dceca9e877c8ad232acef340c246f6f553e841dbcff18a9b458cd0fae1c

SHA512
3df780bf8f3c2b547606f2dfc5552ab5140fdb089681f5945d2aec23d3eeb13d1546ea100881d6c830110c79c60f113788b1fbc7fd674a3578f9e2f76ea54ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxtsrpf.ovc

Filesize
373B

MD5
ce5119e12ef1d2a750823275807d81d2

SHA1
eccb535ec6891f56b0f0f400482288b4b8cc6760

SHA256
a2d1508335c7455209fa7599cdfad29ce70b24e9cb4fa1b8a2d37115028b20ff

SHA512
e294561c3c6823145d226b932efb35ae9fd8fb1716ab3c78af3e528c2881b19db3d687b07a2b36490ac1dd3c96cb0a66defa965474f8482db9be9b8dc84fc490

Download Submit
memory/236-91-0x0000000000BE0000-0x0000000000C30000-memory.dmp

Filesize
320KB

Download
memory/256-43-0x0000000000190000-0x00000000001E0000-memory.dmp

Filesize
320KB

Download
memory/256-45-0x0000000000190000-0x00000000001E0000-memory.dmp

Filesize
320KB

Download
memory/256-46-0x0000000000190000-0x00000000001E0000-memory.dmp

Filesize
320KB

Download
memory/332-49-0x00000000025B0000-0x0000000002600000-memory.dmp

Filesize
320KB

Download
memory/332-144-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/332-143-0x00000000025B0000-0x0000000002600000-memory.dmp

Filesize
320KB

Download
memory/332-207-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/340-94-0x00000000001E0000-0x0000000000230000-memory.dmp

Filesize
320KB

Download
memory/380-148-0x0000000000B30000-0x0000000000B80000-memory.dmp

Filesize
320KB

Download
memory/380-209-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/380-149-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/380-52-0x0000000000B30000-0x0000000000B80000-memory.dmp

Filesize
320KB

Download
memory/388-173-0x0000000000C40000-0x0000000000C90000-memory.dmp

Filesize
320KB

Download
memory/388-58-0x0000000000C40000-0x0000000000C90000-memory.dmp

Filesize
320KB

Download
memory/388-214-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/388-152-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/428-154-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/428-153-0x0000000000D50000-0x0000000000DA0000-memory.dmp

Filesize
320KB

Download
memory/428-59-0x0000000000D50000-0x0000000000DA0000-memory.dmp

Filesize
320KB

Download
memory/472-160-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/472-219-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/472-64-0x00000000004F0000-0x0000000000540000-memory.dmp

Filesize
320KB

Download
memory/472-157-0x00000000004F0000-0x0000000000540000-memory.dmp

Filesize
320KB

Download
memory/488-165-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/488-223-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/488-70-0x0000000000C70000-0x0000000000CC0000-memory.dmp

Filesize
320KB

Download
memory/488-163-0x0000000000C70000-0x0000000000CC0000-memory.dmp

Filesize
320KB

Download
memory/496-97-0x0000000000920000-0x0000000000970000-memory.dmp

Filesize
320KB

Download
memory/496-170-0x0000000000920000-0x0000000000970000-memory.dmp

Filesize
320KB

Download
memory/592-171-0x00000000002E0000-0x0000000000330000-memory.dmp

Filesize
320KB

Download
memory/668-74-0x00000000004B0000-0x0000000000500000-memory.dmp

Filesize
320KB

Download
memory/668-168-0x00000000004B0000-0x0000000000500000-memory.dmp

Filesize
320KB

Download
memory/740-172-0x0000000000C20000-0x0000000000C70000-memory.dmp

Filesize
320KB

Download
memory/808-169-0x0000000000150000-0x00000000001A0000-memory.dmp

Filesize
320KB

Download
memory/808-85-0x0000000000150000-0x00000000001A0000-memory.dmp

Filesize
320KB

Download
memory/960-89-0x0000000000C40000-0x0000000000C90000-memory.dmp

Filesize
320KB

Download
memory/2480-17-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2480-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2480-0-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2480-3-0x0000000003100000-0x0000000003370000-memory.dmp

Filesize
2.4MB

Download
memory/2480-35-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2480-29-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2480-26-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2480-12-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2480-16-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2480-5-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2480-20-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2480-36-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2480-22-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2480-18-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2480-193-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2480-19-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2480-11-0x0000000003100000-0x0000000003370000-memory.dmp

Filesize
2.4MB

Download
memory/2480-6-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2480-7-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2480-8-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2884-34-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2884-33-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/2884-32-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/2964-167-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-150-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-151-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-146-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-145-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-155-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-156-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-142-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-141-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-158-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-159-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-161-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-206-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-205-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-208-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-162-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-164-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-211-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-210-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-212-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-213-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-166-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-216-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-215-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-218-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-39-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/2964-217-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-221-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-220-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-224-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2964-40-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/2964-222-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-41-0x0000000000120000-0x000000000015F000-memory.dmp

Filesize
252KB

Download