a6b304da706f65520019273d5f35dc9ede582febfe9e9a1d87c482eb46433256

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Size

990KB
MD5

88d6b61f9b307ca1ba9aefbe413ca028
SHA1

0a67ce5a5f48652547563812911b2d94418a0dcc
SHA256

5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc
SHA512

36a0c8038390bae34c05610a2396c47ef575905b205fbc4ca13dc4984a18cc42ee3d9def3664ee67fc2fe4a2f1056c59058211e1b92bdd4d5e8683d74e0a5ccf
SSDEEP

12288:DpqiC/2OGAtkCP4cejGSOpRK3CnIiCSsPKplohwrsclnn:Dpo/2+ttPJLfpRK3CnHCSoWuUsE

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe system3_.exe"	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe system3_.exe"	system3_.exe

Executes dropped EXE 2 IoCs

pid	Process
1228	system3_.exe
3728	system3_.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Users\\Admin\\Desktop\\system3_.exe"	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Users\\Admin\\Desktop\\system3_.exe"	system3_.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	system3_.exe
File opened (read-only)	\??\t:	system3_.exe
File opened (read-only)	\??\y:	system3_.exe
File opened (read-only)	\??\z:	system3_.exe
File opened (read-only)	\??\n:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\p:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\j:	system3_.exe
File opened (read-only)	\??\l:	system3_.exe
File opened (read-only)	\??\v:	system3_.exe
File opened (read-only)	\??\g:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\y:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\i:	system3_.exe
File opened (read-only)	\??\k:	system3_.exe
File opened (read-only)	\??\l:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\q:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\w:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\e:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\h:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\o:	system3_.exe
File opened (read-only)	\??\p:	system3_.exe
File opened (read-only)	\??\r:	system3_.exe
File opened (read-only)	\??\u:	system3_.exe
File opened (read-only)	\??\w:	system3_.exe
File opened (read-only)	\??\b:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\a:	system3_.exe
File opened (read-only)	\??\b:	system3_.exe
File opened (read-only)	\??\s:	system3_.exe
File opened (read-only)	\??\x:	system3_.exe
File opened (read-only)	\??\j:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\k:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\m:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\o:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\n:	system3_.exe
File opened (read-only)	\??\a:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\r:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\s:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\x:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\e:	system3_.exe
File opened (read-only)	\??\g:	system3_.exe
File opened (read-only)	\??\v:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\h:	system3_.exe
File opened (read-only)	\??\m:	system3_.exe
File opened (read-only)	\??\i:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\t:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\u:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened (read-only)	\??\z:	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral25/memory/1600-0-0x0000000000400000-0x00000000004D7000-memory.dmp	autoit_exe
behavioral25/files/0x000b00000002404f-5.dat	autoit_exe
behavioral25/memory/3728-8-0x0000000000400000-0x00000000004D7000-memory.dmp	autoit_exe
behavioral25/memory/3728-9-0x0000000000400000-0x00000000004D7000-memory.dmp	autoit_exe
behavioral25/memory/1600-93-0x0000000000400000-0x00000000004D7000-memory.dmp	autoit_exe
behavioral25/memory/1228-94-0x0000000000400000-0x00000000004D7000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\f:\autorun.inf	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened for modification	F:\\autorun.inf	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File opened for modification	F:\\autorun.inf	system3_.exe
File created	\??\d:\autorun.inf	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
File created	\??\d:\autorun.inf	system3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system3_.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main	system3_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.mydreamworld.50webs.com"	system3_.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Internet Explorer\Main	system3_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.mydreamworld.50webs.com"	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Internet Explorer\Main	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.mydreamworld.50webs.com"	system3_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://www.mydreamworld.50webs.com"	system3_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.mydreamworld.50webs.com"	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://www.mydreamworld.50webs.com"	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe

Modifies Internet Explorer start page 1 TTPs 4 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com"	system3_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com"	system3_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com"	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com"	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1228	system3_.exe
1228	system3_.exe
3728	system3_.exe
3728	system3_.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1228	system3_.exe
1228	system3_.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1228	system3_.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
1228	system3_.exe
1228	system3_.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 760	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	91
PID 1600 wrote to memory of 760	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	91
PID 1600 wrote to memory of 760	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	91
PID 760 wrote to memory of 1812	760	cmd.exe	94
PID 760 wrote to memory of 1812	760	cmd.exe	94
PID 760 wrote to memory of 1812	760	cmd.exe	94
PID 4100 wrote to memory of 1228	4100	cmd.exe	95
PID 4100 wrote to memory of 1228	4100	cmd.exe	95
PID 4100 wrote to memory of 1228	4100	cmd.exe	95
PID 1600 wrote to memory of 1876	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	96
PID 1600 wrote to memory of 1876	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	96
PID 1600 wrote to memory of 1876	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	96
PID 1228 wrote to memory of 1948	1228	system3_.exe	99
PID 1228 wrote to memory of 1948	1228	system3_.exe	99
PID 1228 wrote to memory of 1948	1228	system3_.exe	99
PID 1876 wrote to memory of 3216	1876	cmd.exe	102
PID 1876 wrote to memory of 3216	1876	cmd.exe	102
PID 1876 wrote to memory of 3216	1876	cmd.exe	102
PID 2000 wrote to memory of 3728	2000	cmd.exe	103
PID 2000 wrote to memory of 3728	2000	cmd.exe	103
PID 2000 wrote to memory of 3728	2000	cmd.exe	103
PID 1948 wrote to memory of 2716	1948	cmd.exe	104
PID 1948 wrote to memory of 2716	1948	cmd.exe	104
PID 1948 wrote to memory of 2716	1948	cmd.exe	104
PID 1228 wrote to memory of 3496	1228	system3_.exe	105
PID 1228 wrote to memory of 3496	1228	system3_.exe	105
PID 1228 wrote to memory of 3496	1228	system3_.exe	105
PID 3496 wrote to memory of 3404	3496	cmd.exe	107
PID 3496 wrote to memory of 3404	3496	cmd.exe	107
PID 3496 wrote to memory of 3404	3496	cmd.exe	107
PID 1228 wrote to memory of 3216	1228	system3_.exe	116
PID 1228 wrote to memory of 3216	1228	system3_.exe	116
PID 1228 wrote to memory of 3216	1228	system3_.exe	116
PID 1600 wrote to memory of 2876	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	118
PID 1600 wrote to memory of 2876	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	118
PID 1600 wrote to memory of 2876	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	118
PID 2876 wrote to memory of 2692	2876	cmd.exe	120
PID 2876 wrote to memory of 2692	2876	cmd.exe	120
PID 2876 wrote to memory of 2692	2876	cmd.exe	120
PID 3216 wrote to memory of 1876	3216	cmd.exe	121
PID 3216 wrote to memory of 1876	3216	cmd.exe	121
PID 3216 wrote to memory of 1876	3216	cmd.exe	121
PID 1228 wrote to memory of 468	1228	system3_.exe	122
PID 1228 wrote to memory of 468	1228	system3_.exe	122
PID 1228 wrote to memory of 468	1228	system3_.exe	122
PID 1600 wrote to memory of 1916	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	123
PID 1600 wrote to memory of 1916	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	123
PID 1600 wrote to memory of 1916	1600	5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe	123
PID 1916 wrote to memory of 4320	1916	cmd.exe	126
PID 1916 wrote to memory of 4320	1916	cmd.exe	126
PID 1916 wrote to memory of 4320	1916	cmd.exe	126
PID 468 wrote to memory of 4688	468	cmd.exe	127
PID 468 wrote to memory of 4688	468	cmd.exe	127
PID 468 wrote to memory of 4688	468	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
"C:\Users\Admin\AppData\Local\Temp\5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\system volume information" /e /g "Admin":f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\system volume information" /e /g "Admin":f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\system3_.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\Desktop\system3_.exe
  C:\Users\Admin\Desktop\system3_.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\system volume information" /e /g "Admin":f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\system volume information" /e /g "Admin":f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\system3_.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\Desktop\system3_.exe
  C:\Users\Admin\Desktop\system3_.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3728

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
4a90329071ae30b759d279cca342b0a6

SHA1
0ac7c4f3357ce87f37a3a112d6878051c875eda5

SHA256
fb6a7c3edcd7b97fabc18855102a39fc4d6d3f82c0fdd39b1667807b71b9c49b

SHA512
f0e206053d4369437c2c0f1f90f0fd03d631e4b9859d807049b41efde823d64cf4d75c28316d932360f7c03bd409e923c8bc2d4f5959361feacecfcf101ae823

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
530B

MD5
1fbb37f79b317a9a248e7c4ce4f5bac5

SHA1
0ff4d709ebf17be0c28e66dc8bf74672ca28362a

SHA256
6fb1b8e593cb0388f67ead35313a230f524657317ea86271b3a97362e5ec6ad9

SHA512
287e1d62c9ceb660965c266f677c467fbb997c2f5dcd1d63e185e266488aafc3489ac1d3feec81d10f01ce4a72e61a8bc4e124f137ce8675a220aa7797002e74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
7b72165ce1dfe1130d0bddea07ee14f5

SHA1
f009909aa8597240b0af3e877e599b9244660f1f

SHA256
3f517e079b33bfdbb127021ea2ad03cf4f52d8a26468cc2834c420e5ce7332df

SHA512
404992d9a0d18f02b451b2e8a86a4906cfd802e9ea69737018876b44db8609f71967eb4e562072a09be9b74eceaea308f2f23bc141804c7c91d1a5ac252c9c45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
96df6b9dc6d501d498a01a9b736319cc

SHA1
1dd1bda8a39941f7a3fa780d44ab9da680a1932b

SHA256
b949fc8f802a0e5609be0815bba5a8c7f335eeb0d907bb69b217b273b7926b84

SHA512
6877a61a1ccf863bd6d4cf93045842e1054681cf2d30d2360d63519d7b26b35155f26624bc7aab8498c7ec36daf225c787028b1567e4e78ce0334758117216c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H2HS1UOT\setting[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\Desktop\autorun.ini

Filesize
102B

MD5
948c74cd98911b420ff89dac13399bcb

SHA1
76dfc73518f003953923b1b4f2b973f4bb56a411

SHA256
94a1ac3d574425ec8a3cc01675e4d787373d2a190dddd4f8ba507c49ca3fd42a

SHA512
b31d82ede9d48e390a50a9dcf5c4c607c62638e8bc56f473250f9a56b7967d5de948abed69bbb2c35eb0112288faa5c438316b06ccbb36d289e93952b30e2ede

Download Submit
C:\Users\Admin\Desktop\system3_.exe

Filesize
990KB

MD5
88d6b61f9b307ca1ba9aefbe413ca028

SHA1
0a67ce5a5f48652547563812911b2d94418a0dcc

SHA256
5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc

SHA512
36a0c8038390bae34c05610a2396c47ef575905b205fbc4ca13dc4984a18cc42ee3d9def3664ee67fc2fe4a2f1056c59058211e1b92bdd4d5e8683d74e0a5ccf

Download Submit
memory/1228-94-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1600-0-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1600-93-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3728-8-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3728-9-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download