bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac

General

Target

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
Size

204KB
MD5

0ac4edfbeaba0f502662782e754cd132
SHA1

661cac1f7496debc8b6caa9fdad81355a53471a5
SHA256

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac
SHA512

adadf04554127edad2bb4876f8bd7a35d10668d4eba41460bb194494bda5cff1496bcb086a0f18cc97650f9b5a8e16acbcc58d94075fe03629ae04dd164f3bbe
SSDEEP

768:LlvMareJ+teVEwbjMPkG1VuW/wqvRXMXp677yCzdXZRT2Nq1MaQnepMri14PGBEw:LRl6J+8jlGVs4emEFb3P0lpX

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

caivoj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	caivoj.exe

Executes dropped EXE 1 IoCs

Processes:

caivoj.exe

pid process

2748 caivoj.exe

Loads dropped DLL 2 IoCs

Processes:

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe

pid	process
3048	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
3048	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

caivoj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /R"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /b"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /d"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /J"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /k"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /j"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /A"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /n"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /Q"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /y"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /z"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /t"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /v"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /f"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /q"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /E"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /O"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /e"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /C"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /r"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /I"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /H"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /V"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /w"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /s"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /D"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /G"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /K"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /Y"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /u"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /Z"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /S"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /F"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /X"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /p"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /M"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /g"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /N"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /B"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /m"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /o"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /l"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /P"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /U"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /c"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /x"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /W"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /L"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /T"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /h"	caivoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caivoj = "C:\\Users\\Admin\\caivoj.exe /i"	caivoj.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x0000000000443000-memory.dmp	upx
\Users\Admin\caivoj.exe	upx
behavioral1/memory/2748-15-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3048-19-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2748-20-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.execaivoj.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caivoj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

caivoj.exe

pid	process
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe
2748	caivoj.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.execaivoj.exe

pid process

3048 bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
2748 caivoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.execaivoj.exe

description	pid	process	target process
PID 3048 wrote to memory of 2748	3048	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe	caivoj.exe
PID 3048 wrote to memory of 2748	3048	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe	caivoj.exe
PID 3048 wrote to memory of 2748	3048	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe	caivoj.exe
PID 3048 wrote to memory of 2748	3048	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe	caivoj.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2748 wrote to memory of 3048	2748	caivoj.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe

C:\Users\Admin\AppData\Local\Temp\bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
"C:\Users\Admin\AppData\Local\Temp\bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\caivoj.exe
  "C:\Users\Admin\caivoj.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\caivoj.exe

Filesize
204KB

MD5
f9209045a5dbdf32e196b59cf9015d9b

SHA1
b9cfb60057be48528bc9a9f5a3eea358f3796dd1

SHA256
0ff8aa7ecf5d90279af2b151e3231c41441a0244a58a872e43287788baf4a6d2

SHA512
d1e6570d747caab7939295a7ff39397996c8321b3ef2a0d0072e6df7eda411c2ef3f137571c353eb6caffab77a9056d4a3049c4e05962fa4b5ed2fcb2bbc94fb

Download Submit
memory/2748-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-14-0x00000000027A0000-0x00000000027E3000-memory.dmp

Filesize
268KB

Download
memory/3048-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads