Task
task1
Task
task2
General
-
Target
Exes_3b8bc9110753815fdcbdb6aecb0f92fa.exe
-
Sample
190819-mk44hdennn
-
SHA256
e23f2e452ca27e821ed6ce386e1e7d5996be52edc1ce678e80ff2aad0edfb30e
Score
N/A
Malware Config
Signatures
-
Suspicious registry modification 26 IoCs
description \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing = "0" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASAPI32\EnableFileTracing = "0" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASAPI32\EnableConsoleTracing = "0" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASAPI32\FileTracingMask = "4294901760" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASAPI32\ConsoleTracingMask = "4294901760" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASAPI32\MaxFileSize = "1048576" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASAPI32\FileDirectory = "%windir%\\tracing" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASMANCS\EnableFileTracing = "0" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASMANCS\EnableConsoleTracing = "0" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASMANCS\FileTracingMask = "4294901760" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASMANCS\ConsoleTracingMask = "4294901760" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASMANCS\MaxFileSize = "1048576" \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Exes_3b8bc9110753815fdcbdb6aecb0f92fa_RASMANCS\FileDirectory = "%windir%\\tracing" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D76EA39-C1C1-4A07-92E8-AD5F010900A5}\WpadDecisionReason = "1" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D76EA39-C1C1-4A07-92E8-AD5F010900A5}\WpadDecisionTime = e0608da8d856d501 \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D76EA39-C1C1-4A07-92E8-AD5F010900A5}\WpadDecision = "3" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D76EA39-C1C1-4A07-92E8-AD5F010900A5}\WpadNetworkName = "Network" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-15-75-ab-17-7c\WpadDecisionReason = "1" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-15-75-ab-17-7c\WpadDecisionTime = e0608da8d856d501 \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-15-75-ab-17-7c\WpadDecision = "3" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000e0ef8aa8d856d501000000000000000000000000020000001700000000000000fe800000000000008c0b1759160ec7650b00000000000000a4119077786690777030f874d90600000100000000000000000000000000000040000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000a00000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork = "{8D76EA39-C1C1-4A07-92E8-AD5F010900A5}" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" \REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 2 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\610-0\System.Management.Automation.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ed18cbebc219551b9c8751127acc37ae\System.Management.Automation.ni.dll.aux.tmp