Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
08-09-2020 07:26
Static task
static1
Behavioral task
behavioral1
Sample
win32.exe
Resource
win7
General
-
Target
win32.exe
-
Size
264KB
-
MD5
aee8a4f7de7a199cc9a7d5cfbc3e11d9
-
SHA1
cd6c91aa00c6cf69573fb156198b6afb44a5a6e6
-
SHA256
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
-
SHA512
7fefe7d493b1fc2a51db5d1e53fc0b59629f0aa982169a87378d0880d10dc051f337a0d3fb2cefb73a6a546d8910c189aa5cdd9539489db22c34e68f7b0c972e
Malware Config
Extracted
lokibot
http://joovy.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
formbook
http://www.artiyonq.com/pw9/
applephone.red
bureauxfashion.com
05044444.com
newmarketingideas.net
7754y.com
976life.com
rilio.realty
amandakohar.com
003manbetx.com
tomtomxl.com
pulse-group.com
qdhtdzj.com
desitebuilder.com
ivymaephotography.info
sgpoloclub.com
aaeventsshop.com
mobilesant.com
lewismobilewelding.com
firefromthearchives.com
printathomeparties.com
plantifullye.com
89oduy.com
agreetohealth.com
hairdesignworks.win
lasvegaslocalseo.com
njadjunctfaculty.com
splitpredictor.com
woomi.net
salaryforlive.com
managealert.com
99centvillagepizza.com
aryaroselondon.com
vyberent.com
synkamc.com
sastanci.com
hawaiimarinetourism.com
234manbetx.com
diadez.com
laundryxperts.com
whitefishdigitalmarketing.com
mnceh.net
dalonfood.com
bjthxkm.com
csichurchdublin.com
viceeducated.com
yihaomingshi.com
distributorwatermeter.com
chocolate-tv.com
2857352.com
erikahealth.info
cymeditour.com
simplicimo.com
ceddicedced.net
vinbike.net
vadsbomjolk.biz
cnxianhuo8.com
serviceacmadiun.com
ha-sd.com
200809.top
tributemyfantasy.com
mamarandian.com
pepephotos.com
ablecitymovers.com
ligaturemuzyk.com
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Formbook Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3004-29-0x0000000004C00000-0x0000000004C2D000-memory.dmp formbook behavioral2/memory/3004-29-0x0000000004C00000-0x0000000004C2D000-memory.dmp formbook behavioral2/memory/192-32-0x0000000000000000-mapping.dmp formbook behavioral2/memory/2236-38-0x0000000000000000-mapping.dmp formbook behavioral2/memory/2236-44-0x0000000006980000-0x0000000006AF3000-memory.dmp formbook behavioral2/memory/2236-44-0x0000000006980000-0x0000000006AF3000-memory.dmp formbook behavioral2/memory/2660-45-0x0000000000000000-mapping.dmp formbook -
ServiceHost packer 1 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/2660-45-0x0000000000000000-mapping.dmp servicehost -
Blacklisted process makes network request 8 IoCs
Processes:
cmd.exeflow pid process 15 3884 cmd.exe 16 3884 cmd.exe 17 3884 cmd.exe 19 3884 cmd.exe 21 3884 cmd.exe 23 3884 cmd.exe 25 3884 cmd.exe 31 3884 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
8zmBAMf.exeSXqidAz.exepid process 1676 8zmBAMf.exe 3372 SXqidAz.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 3424 rundll32.exe 2616 rundll32.exe 3004 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
explorer.execscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\95kg3eu71.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\95kg3eu71.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\95kg3eu71.exe\"" cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\95kg3eu71.exe\"" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\95kg3eu71.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce cscript.exe -
Processes:
cmd.execscript.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cscript.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
cmd.exeexplorer.execscript.exepid process 2316 cmd.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
cmd.execscript.exedescription pid process target process PID 192 set thread context of 3016 192 cmd.exe Explorer.EXE PID 2236 set thread context of 3016 2236 cscript.exe Explorer.EXE PID 2236 set thread context of 2660 2236 cscript.exe explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
NSIS installer 12 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\8zmBAMf.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\8zmBAMf.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\8zmBAMf.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\8zmBAMf.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\uninstall.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\uninstall.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\SXqidAz.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\SXqidAz.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\uninstall.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\uninstall.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\SXqidAz.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\SXqidAz.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.execscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \Registry\User\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 222bd794c285d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe -
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E cmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c0000000100000004000000001000000f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd cmd.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
rundll32.exerundll32.exerundll32.execmd.exeexplorer.execscript.exepid process 3424 rundll32.exe 3424 rundll32.exe 2616 rundll32.exe 3004 rundll32.exe 192 cmd.exe 192 cmd.exe 192 cmd.exe 192 cmd.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2660 explorer.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe -
Suspicious behavior: MapViewOfSection 16 IoCs
Processes:
rundll32.exerundll32.exerundll32.execmd.execmd.exeexplorer.execscript.exepid process 3424 rundll32.exe 3424 rundll32.exe 2616 rundll32.exe 3004 rundll32.exe 192 cmd.exe 2316 cmd.exe 2316 cmd.exe 192 cmd.exe 192 cmd.exe 2660 explorer.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe 2236 cscript.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
svchost.execmd.execmd.execmd.exeexplorer.execscript.exeExplorer.EXEdescription pid process Token: SeShutdownPrivilege 2588 svchost.exe Token: SeCreatePagefilePrivilege 2588 svchost.exe Token: SeDebugPrivilege 3884 cmd.exe Token: SeDebugPrivilege 2316 cmd.exe Token: SeRestorePrivilege 2316 cmd.exe Token: SeBackupPrivilege 2316 cmd.exe Token: SeLoadDriverPrivilege 2316 cmd.exe Token: SeCreatePagefilePrivilege 2316 cmd.exe Token: SeShutdownPrivilege 2316 cmd.exe Token: SeTakeOwnershipPrivilege 2316 cmd.exe Token: SeChangeNotifyPrivilege 2316 cmd.exe Token: SeCreateTokenPrivilege 2316 cmd.exe Token: SeMachineAccountPrivilege 2316 cmd.exe Token: SeSecurityPrivilege 2316 cmd.exe Token: SeAssignPrimaryTokenPrivilege 2316 cmd.exe Token: SeCreateGlobalPrivilege 2316 cmd.exe Token: 33 2316 cmd.exe Token: SeDebugPrivilege 192 cmd.exe Token: SeDebugPrivilege 2660 explorer.exe Token: SeRestorePrivilege 2660 explorer.exe Token: SeBackupPrivilege 2660 explorer.exe Token: SeLoadDriverPrivilege 2660 explorer.exe Token: SeCreatePagefilePrivilege 2660 explorer.exe Token: SeShutdownPrivilege 2660 explorer.exe Token: SeTakeOwnershipPrivilege 2660 explorer.exe Token: SeChangeNotifyPrivilege 2660 explorer.exe Token: SeCreateTokenPrivilege 2660 explorer.exe Token: SeMachineAccountPrivilege 2660 explorer.exe Token: SeSecurityPrivilege 2660 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2660 explorer.exe Token: SeCreateGlobalPrivilege 2660 explorer.exe Token: 33 2660 explorer.exe Token: SeDebugPrivilege 2236 cscript.exe Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE -
Suspicious use of WriteProcessMemory 270 IoCs
Processes:
win32.exerundll32.exedescription pid process target process PID 3816 wrote to memory of 3424 3816 win32.exe rundll32.exe PID 3816 wrote to memory of 3424 3816 win32.exe rundll32.exe PID 3816 wrote to memory of 3424 3816 win32.exe rundll32.exe PID 3424 wrote to memory of 3896 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3896 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3896 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3896 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe PID 3424 wrote to memory of 3884 3424 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\win32.exe"C:\Users\Admin\AppData\Local\Temp\win32.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe KakaGemot,Hurley3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Blacklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8zmBAMf.exe"C:\Users\Admin\AppData\Roaming\8zmBAMf.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe KakaGemot,Hurley6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"7⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\SXqidAz.exe"C:\Users\Admin\AppData\Roaming\SXqidAz.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe KakaGemot,Hurley6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Emphysema
-
C:\Users\Admin\AppData\Local\Temp\Emphysema
-
C:\Users\Admin\AppData\Local\Temp\Emphysema
-
C:\Users\Admin\AppData\Local\Temp\KakaGemot.DLL
-
C:\Users\Admin\AppData\Local\Temp\KakaGemot.DLL
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\70.opends60.dll
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\70.opends60.dll
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\MicrosoftVisualJUpgradeEngineInterface.dll
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\MicrosoftVisualJUpgradeEngineInterface.dll
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\u2lexch.dll
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\u2lexch.dll
-
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
-
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
-
C:\Users\Admin\AppData\Roaming\8zmBAMf.exe
-
C:\Users\Admin\AppData\Roaming\8zmBAMf.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1400429095-533421673-2598934218-1000\0f5007522459c86e95ffcc62f32308f1_18823ca4-5761-4226-8787-cf36135f1c68
-
C:\Users\Admin\AppData\Roaming\SXqidAz.exe
-
C:\Users\Admin\AppData\Roaming\SXqidAz.exe
-
\Users\Admin\AppData\Local\Temp\KakaGemot.dll
-
\Users\Admin\AppData\Local\Temp\KakaGemot.dll
-
\Users\Admin\AppData\Local\Temp\KakaGemot.dll
-
memory/192-32-0x0000000000000000-mapping.dmp
-
memory/1676-7-0x0000000000000000-mapping.dmp
-
memory/2236-42-0x0000000006980000-0x0000000006AF3000-memory.dmpFilesize
1.4MB
-
memory/2236-38-0x0000000000000000-mapping.dmp
-
memory/2236-44-0x0000000006980000-0x0000000006AF3000-memory.dmpFilesize
1.4MB
-
memory/2236-46-0x0000000006D40000-0x0000000006E05000-memory.dmpFilesize
788KB
-
memory/2236-40-0x0000000001120000-0x0000000001147000-memory.dmpFilesize
156KB
-
memory/2236-39-0x0000000001120000-0x0000000001147000-memory.dmpFilesize
156KB
-
memory/2316-30-0x0000000000000000-mapping.dmp
-
memory/2316-31-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2316-33-0x0000000004ED0000-0x0000000004F72000-memory.dmpFilesize
648KB
-
memory/2316-34-0x0000000005320000-0x0000000005760000-memory.dmpFilesize
4.2MB
-
memory/2616-22-0x00000000055A0000-0x00000000055D5000-memory.dmpFilesize
212KB
-
memory/2616-18-0x0000000000000000-mapping.dmp
-
memory/2660-41-0x00000000064A0000-0x0000000006542000-memory.dmpFilesize
648KB
-
memory/2660-45-0x0000000000000000-mapping.dmp
-
memory/2660-37-0x0000000000E20000-0x0000000001260000-memory.dmpFilesize
4.2MB
-
memory/2660-35-0x0000000000000000-mapping.dmp
-
memory/2660-36-0x0000000000E20000-0x0000000001260000-memory.dmpFilesize
4.2MB
-
memory/3004-29-0x0000000004C00000-0x0000000004C2D000-memory.dmpFilesize
180KB
-
memory/3004-26-0x0000000000000000-mapping.dmp
-
memory/3372-11-0x0000000000000000-mapping.dmp
-
memory/3424-4-0x0000000005150000-0x00000000051F2000-memory.dmpFilesize
648KB
-
memory/3424-0-0x0000000000000000-mapping.dmp
-
memory/3760-47-0x0000000000000000-mapping.dmp
-
memory/3760-48-0x00007FF647530000-0x00007FF6475C3000-memory.dmpFilesize
588KB
-
memory/3760-49-0x00007FF647530000-0x00007FF6475C3000-memory.dmpFilesize
588KB
-
memory/3760-50-0x00007FF647530000-0x00007FF6475C3000-memory.dmpFilesize
588KB
-
memory/3884-5-0x0000000000000000-mapping.dmp
-
memory/3884-6-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB