Task
task1
Task
task2
General
-
Target
Exes_4a4608a2c2707b4dd2bc4b733ef4ef96.jpg
-
Sample
190808-qgyxkjj7dx
-
SHA256
efc8a598d15f50646444551c6ff08cea8c3a173f307ecc0b42aaa94d043fba3a
Score
N/A
Malware Config
Signatures
-
Suspicious use of UnmapMainImage 1 TTPs
-
Adds Run entry to start application 2 TTPs 2 IoCs
description \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (CreateKeyEx) \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" -
Suspicious registry modification 1 IoCs
description \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\xVersion = "4.0.0.1" -
Suspicious behavior: EnumeratesProcesses
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3b4-0\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\37c-0\Microsoft.PowerShell.ConsoleHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\37c-0\Microsoft.PowerShell.GraphicalHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3fc-0\Microsoft.PowerShell.Core.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3fc-0\Microsoft.PowerShell.Security.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12c-0\Microsoft.PowerShell.Diagnostics.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\750-0\Microsoft.PowerShell.Editor.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\568-0\Microsoft.PowerShell.GPowerShell.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp -
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4e0-0\Microsoft.PowerShell.ISECommon.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4e0-0\Microsoft.Windows.DSC.CoreConfProviders.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\734-0\Microsoft.PowerShell.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\734-0\Microsoft.WSMan.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3b8-0\Microsoft.PowerShell.ScheduledJob.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\69c-0\Microsoft.PowerShell.Security.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\65c-0\Microsoft.PowerShell.Utility.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\730-0\Microsoft.PowerShell.Workflow.ServiceCore.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\778-0\Microsoft.WSMan.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\31442bf47481031d2ffc618719a526d4\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5b8-0\Microsoft.WSMan.Runtime.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\c80373093de278b947eba63c75e1dc5c\Microsoft.WSMan.Runtime.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
troldesh family