Overview
overview
10Static
static
1055b3d90596...38.exe
windows7-x64
1055b3d90596...38.exe
windows10-2004-x64
1055bc6e4a24...7e.exe
windows7-x64
855bc6e4a24...7e.exe
windows10-2004-x64
855be056b62...2f.exe
windows7-x64
1055be056b62...2f.exe
windows10-2004-x64
1055c90346c1...7d.exe
windows7-x64
755c90346c1...7d.exe
windows10-2004-x64
755e68f668a...36.exe
windows7-x64
1055e68f668a...36.exe
windows10-2004-x64
105600890872...c9.exe
windows7-x64
15600890872...c9.exe
windows10-2004-x64
1563d48f590...69.exe
windows7-x64
7563d48f590...69.exe
windows10-2004-x64
756583e9f6e...61.exe
windows7-x64
1056583e9f6e...61.exe
windows10-2004-x64
10569bb28f26...62.exe
windows7-x64
7569bb28f26...62.exe
windows10-2004-x64
756a0fe7669...54.exe
windows7-x64
1056a0fe7669...54.exe
windows10-2004-x64
1056bf03053c...ec.exe
windows7-x64
1056bf03053c...ec.exe
windows10-2004-x64
1056f180528b...73.exe
windows7-x64
1056f180528b...73.exe
windows10-2004-x64
105737ca76a6...88.exe
windows7-x64
105737ca76a6...88.exe
windows10-2004-x64
10575bc86968...a1.exe
windows7-x64
7575bc86968...a1.exe
windows10-2004-x64
757d8199712...1f.exe
windows7-x64
1057d8199712...1f.exe
windows10-2004-x64
57f8be0d4c...5a.exe
windows7-x64
1057f8be0d4c...5a.exe
windows10-2004-x64
10Analysis
-
max time kernel
63s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:11
Behavioral task
behavioral1
Sample
55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
55bc6e4a240651d4266ea63bd771337e.exe
Resource
win7-20250207-en
Behavioral task
behavioral4
Sample
55bc6e4a240651d4266ea63bd771337e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
55e68f668a9bc6872ae937e6ffb74136.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
55e68f668a9bc6872ae937e6ffb74136.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
Resource
win7-20250207-en
Behavioral task
behavioral14
Sample
563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
569bb28f26e0170d21d0f5788a4ee262.exe
Resource
win7-20250207-en
Behavioral task
behavioral18
Sample
569bb28f26e0170d21d0f5788a4ee262.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
56bf03053c6a58211b3bb060862ea7ec.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
56bf03053c6a58211b3bb060862ea7ec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
56f180528b74e418299dd53d17305073.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
56f180528b74e418299dd53d17305073.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
Resource
win7-20250207-en
Behavioral task
behavioral30
Sample
57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a.exe
Resource
win10v2004-20250314-en
Errors
General
-
Target
57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
-
Size
229KB
-
MD5
a0397395824c0069a98cbe5702f013a1
-
SHA1
730af9f2e0b3458788cca74c595d91fe165dbd49
-
SHA256
57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f
-
SHA512
8ab7f110b9989f24de8a264084c1e933c0b373f3619222c10a56b0ff10df29069d58e9cd847c0f196a6d71f54fbbca2221328d9a7901f4151dc60f887cc3afa1
-
SSDEEP
3072:it4FE9RQOqFdLD8KbgVtn8Mo8G1gVziHzZbIK1YKB/pCAcNqXhwBV3yxSQig8xNV:i8E9U/5bTgVziHzZnSKrCbYMwgba8Vq
Malware Config
Extracted
xworm
3.1
medicine-sports.gl.at.ply.gg:28097
-
install_file
Mason.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral30/memory/4412-1-0x00000252A6B20000-0x00000252A6B5E000-memory.dmp family_xworm behavioral30/memory/4412-13-0x00000252C12E0000-0x00000252C12EE000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation 57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe -
Executes dropped EXE 1 IoCs
pid Process 5432 czh3ngwa.yy1.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188012A0BFB5F0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5208 WerFault.exe 5208 WerFault.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 3760 svchost.exe 3760 svchost.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5328 wlrmdr.exe 5328 wlrmdr.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe 5432 czh3ngwa.yy1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4412 57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe Token: SeDebugPrivilege 5432 czh3ngwa.yy1.exe Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2172 svchost.exe Token: SeIncreaseQuotaPrivilege 2172 svchost.exe Token: SeSecurityPrivilege 2172 svchost.exe Token: SeTakeOwnershipPrivilege 2172 svchost.exe Token: SeLoadDriverPrivilege 2172 svchost.exe Token: SeSystemtimePrivilege 2172 svchost.exe Token: SeBackupPrivilege 2172 svchost.exe Token: SeRestorePrivilege 2172 svchost.exe Token: SeShutdownPrivilege 2172 svchost.exe Token: SeSystemEnvironmentPrivilege 2172 svchost.exe Token: SeUndockPrivilege 2172 svchost.exe Token: SeManageVolumePrivilege 2172 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2172 svchost.exe Token: SeIncreaseQuotaPrivilege 2172 svchost.exe Token: SeSecurityPrivilege 2172 svchost.exe Token: SeTakeOwnershipPrivilege 2172 svchost.exe Token: SeLoadDriverPrivilege 2172 svchost.exe Token: SeSystemtimePrivilege 2172 svchost.exe Token: SeBackupPrivilege 2172 svchost.exe Token: SeRestorePrivilege 2172 svchost.exe Token: SeShutdownPrivilege 2172 svchost.exe Token: SeSystemEnvironmentPrivilege 2172 svchost.exe Token: SeUndockPrivilege 2172 svchost.exe Token: SeManageVolumePrivilege 2172 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2172 svchost.exe Token: SeIncreaseQuotaPrivilege 2172 svchost.exe Token: SeSecurityPrivilege 2172 svchost.exe Token: SeTakeOwnershipPrivilege 2172 svchost.exe Token: SeLoadDriverPrivilege 2172 svchost.exe Token: SeSystemtimePrivilege 2172 svchost.exe Token: SeBackupPrivilege 2172 svchost.exe Token: SeRestorePrivilege 2172 svchost.exe Token: SeShutdownPrivilege 2172 svchost.exe Token: SeSystemEnvironmentPrivilege 2172 svchost.exe Token: SeUndockPrivilege 2172 svchost.exe Token: SeManageVolumePrivilege 2172 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2172 svchost.exe Token: SeIncreaseQuotaPrivilege 2172 svchost.exe Token: SeSecurityPrivilege 2172 svchost.exe Token: SeTakeOwnershipPrivilege 2172 svchost.exe Token: SeLoadDriverPrivilege 2172 svchost.exe Token: SeSystemtimePrivilege 2172 svchost.exe Token: SeBackupPrivilege 2172 svchost.exe Token: SeRestorePrivilege 2172 svchost.exe Token: SeShutdownPrivilege 2172 svchost.exe Token: SeSystemEnvironmentPrivilege 2172 svchost.exe Token: SeUndockPrivilege 2172 svchost.exe Token: SeManageVolumePrivilege 2172 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2172 svchost.exe Token: SeIncreaseQuotaPrivilege 2172 svchost.exe Token: SeSecurityPrivilege 2172 svchost.exe Token: SeTakeOwnershipPrivilege 2172 svchost.exe Token: SeLoadDriverPrivilege 2172 svchost.exe Token: SeSystemtimePrivilege 2172 svchost.exe Token: SeBackupPrivilege 2172 svchost.exe Token: SeRestorePrivilege 2172 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5328 wlrmdr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4412 wrote to memory of 5432 4412 57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe 88 PID 4412 wrote to memory of 5432 4412 57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe 88 PID 5432 wrote to memory of 612 5432 czh3ngwa.yy1.exe 5 PID 5432 wrote to memory of 676 5432 czh3ngwa.yy1.exe 7 PID 5432 wrote to memory of 968 5432 czh3ngwa.yy1.exe 12 PID 5432 wrote to memory of 316 5432 czh3ngwa.yy1.exe 13 PID 676 wrote to memory of 2656 676 lsass.exe 46 PID 5432 wrote to memory of 428 5432 czh3ngwa.yy1.exe 14 PID 5432 wrote to memory of 964 5432 czh3ngwa.yy1.exe 15 PID 5432 wrote to memory of 1100 5432 czh3ngwa.yy1.exe 17 PID 5432 wrote to memory of 1116 5432 czh3ngwa.yy1.exe 18 PID 5432 wrote to memory of 1136 5432 czh3ngwa.yy1.exe 19 PID 5432 wrote to memory of 1180 5432 czh3ngwa.yy1.exe 20 PID 5432 wrote to memory of 1304 5432 czh3ngwa.yy1.exe 21 PID 5432 wrote to memory of 1316 5432 czh3ngwa.yy1.exe 22 PID 5432 wrote to memory of 1352 5432 czh3ngwa.yy1.exe 23 PID 5432 wrote to memory of 1448 5432 czh3ngwa.yy1.exe 24 PID 5432 wrote to memory of 1472 5432 czh3ngwa.yy1.exe 25 PID 5432 wrote to memory of 1528 5432 czh3ngwa.yy1.exe 26 PID 5432 wrote to memory of 1540 5432 czh3ngwa.yy1.exe 27 PID 5432 wrote to memory of 1660 5432 czh3ngwa.yy1.exe 28 PID 5432 wrote to memory of 1692 5432 czh3ngwa.yy1.exe 29 PID 5432 wrote to memory of 1732 5432 czh3ngwa.yy1.exe 30 PID 5432 wrote to memory of 1776 5432 czh3ngwa.yy1.exe 31 PID 5432 wrote to memory of 1812 5432 czh3ngwa.yy1.exe 32 PID 5432 wrote to memory of 1892 5432 czh3ngwa.yy1.exe 33 PID 5432 wrote to memory of 1900 5432 czh3ngwa.yy1.exe 34 PID 5432 wrote to memory of 1968 5432 czh3ngwa.yy1.exe 35 PID 5432 wrote to memory of 1988 5432 czh3ngwa.yy1.exe 36 PID 5432 wrote to memory of 1688 5432 czh3ngwa.yy1.exe 37 PID 5432 wrote to memory of 2108 5432 czh3ngwa.yy1.exe 39 PID 5432 wrote to memory of 2172 5432 czh3ngwa.yy1.exe 40 PID 5432 wrote to memory of 2248 5432 czh3ngwa.yy1.exe 41 PID 676 wrote to memory of 2656 676 lsass.exe 46 PID 5432 wrote to memory of 2408 5432 czh3ngwa.yy1.exe 42 PID 5432 wrote to memory of 2416 5432 czh3ngwa.yy1.exe 43 PID 5432 wrote to memory of 2560 5432 czh3ngwa.yy1.exe 44 PID 5432 wrote to memory of 2620 5432 czh3ngwa.yy1.exe 45 PID 5432 wrote to memory of 2656 5432 czh3ngwa.yy1.exe 46 PID 5432 wrote to memory of 2684 5432 czh3ngwa.yy1.exe 47 PID 5432 wrote to memory of 2700 5432 czh3ngwa.yy1.exe 48 PID 5432 wrote to memory of 2848 5432 czh3ngwa.yy1.exe 49 PID 5432 wrote to memory of 2944 5432 czh3ngwa.yy1.exe 50 PID 5432 wrote to memory of 3036 5432 czh3ngwa.yy1.exe 51 PID 5432 wrote to memory of 3048 5432 czh3ngwa.yy1.exe 52 PID 5432 wrote to memory of 3016 5432 czh3ngwa.yy1.exe 54 PID 5432 wrote to memory of 3320 5432 czh3ngwa.yy1.exe 55 PID 5432 wrote to memory of 3404 5432 czh3ngwa.yy1.exe 56 PID 5432 wrote to memory of 3532 5432 czh3ngwa.yy1.exe 57 PID 5432 wrote to memory of 3736 5432 czh3ngwa.yy1.exe 58 PID 5432 wrote to memory of 3892 5432 czh3ngwa.yy1.exe 60 PID 5432 wrote to memory of 3592 5432 czh3ngwa.yy1.exe 62 PID 5432 wrote to memory of 4300 5432 czh3ngwa.yy1.exe 64 PID 5432 wrote to memory of 5680 5432 czh3ngwa.yy1.exe 65 PID 5432 wrote to memory of 3392 5432 czh3ngwa.yy1.exe 67 PID 5432 wrote to memory of 452 5432 czh3ngwa.yy1.exe 68 PID 5432 wrote to memory of 5872 5432 czh3ngwa.yy1.exe 69 PID 5432 wrote to memory of 5944 5432 czh3ngwa.yy1.exe 70 PID 5432 wrote to memory of 1720 5432 czh3ngwa.yy1.exe 72 PID 5432 wrote to memory of 1444 5432 czh3ngwa.yy1.exe 73 PID 5432 wrote to memory of 5044 5432 czh3ngwa.yy1.exe 74 PID 5432 wrote to memory of 6096 5432 czh3ngwa.yy1.exe 75 PID 5432 wrote to memory of 5996 5432 czh3ngwa.yy1.exe 76 PID 5432 wrote to memory of 5932 5432 czh3ngwa.yy1.exe 77
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 32⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5328
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 676 -s 42002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5208
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1136
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3036
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1472
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2848
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1988
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2620
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2944
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3320
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe"C:\Users\Admin\AppData\Local\Temp\57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\czh3ngwa.yy1.exe"C:\Users\Admin\AppData\Local\Temp\czh3ngwa.yy1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5432
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3532
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:4300
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:3392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:5872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:1720
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1444
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:5044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:6096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:5996
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:5932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:5864
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3612
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2352
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5f40e9e6f2afc5370d4262bb8287ce4fe
SHA1340db7c8fa196a11a17d16e63101e15b0a976a08
SHA256bc3dc2d3492632b40c701f227ba8b819f69eb907aa0636615854d53162a72c90
SHA512bbc6df02c6e910da00f456ff99916257bc4cb04c8b51a7260af6f9600b76750a21efdcfca4e9dfdb234457aeb123e5eb344472eb32e4c2678d0b6e28ca3ee737
-
Filesize
13KB
MD56fa4af8dd5784fed1f60f28fa92f161e
SHA17d74ecca1922f3a26f192492fcaba3ba8cc9bced
SHA256848ebbd56029bc5cf81cf0b8b61c6f6040f34895ee50ad19943bc09299f348f5
SHA512d828f2c1695289c9d6903aa5ef2c53a0d732c3b0320b511cbd4f489ca3314b20247b7b248c28dffe2b9d1b76757bbedae5425c7df8cbcfe7328cd9d52079c7c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD57ad2d0fa450455bf3fe198a21dbc195c
SHA1bda92c67d64627f08336f0477489e1eddb4b7d95
SHA25600399cc0be035a8dee30474a81129028590ca6642c004d133e45000e4d7d20b9
SHA512180dc62f6ce18578a9f0b9ec228cdacebcc23b3c6c8df746dcc2a48eb3ac5354297885fd2514487fd3391ef8b74471e232a4a17bad9063b3b37dfc3a92abe5cd
-
Filesize
161KB
MD594f1ab3a068f83b32639579ec9c5d025
SHA138f3d5bc5de46feb8de093d11329766b8e2054ae
SHA256879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0
SHA51244d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c