Resubmissions
09-09-2020 09:18
200909-ev13telmdn 1008-09-2020 17:08
200908-br2a8ynnpn 1008-09-2020 17:07
200908-2bbw72ekmn 1008-09-2020 16:54
200908-qgbye23mhs 1008-09-2020 16:46
200908-p5f4c5cdzj 10Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
08-09-2020 16:46
Static task
static1
Behavioral task
behavioral1
Sample
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
-
Size
154KB
-
MD5
91879bdd73625ac38c31fe5225310e92
-
SHA1
a007b979483ee6b57b93a11340932a60f5781570
-
SHA256
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b
-
SHA512
22678f18385ed177ed34cac52fc8667c6d6cdc2953b1818a6e530411894aa6947b04408320137af8ebd5b1d6d733f374a1d962608e0e6c234e5a43b89fe9de3c
Malware Config
Extracted
Path
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
Family
raccoon
Ransom Note
[Raccoon Stealer] - v1.5.13-af-hotfix Release
Build compiled on Mon Jul 6 14:33:03 2020
Launched at: 2020.09.08 - 16:43:27 GMT
Bot_ID: 664A9041-4AC4-46F3-B3DC-87DB4D57890E_Admin
Running on a desktop
=R=A=C=C=O=O=N=
- Cookies: 0
- Passwords: 5
- Files: 0
System Information:
- System Language: English
- System TimeZone: -0 hrs
- IP: 154.61.71.51
- Location: 37.750999, -97.821999 | ?, ?, United States (?)
- ComputerName: GOHCSFBB
- Username: Admin
- Windows version: NT 10.0
- Product name: Windows 10 Pro
- System arch: x64
- CPU: Persocon Processor 2.5+ (2 cores)
- RAM: 4095 MB (717 MB used)
- Screen resolution: 1280x720
- Display devices:
0) Microsoft Basic Display Adapter
============
Extracted
Family
smokeloader
Version
2020
C2
http://dkajsdjiqwdwnfj.info/
http://2831ujedkdajsdj.info/
http://928eijdksasnfss.info/
https://dkajsdjiqwdwnfj.info/
https://2831ujedkdajsdj.info/
https://928eijdksasnfss.info/
rc4.i32
rc4.i32
Extracted
Family
zloader
Botnet
DLLobnova
Campaign
02.09.2020
C2
https://fsakfkdsajdajskjajs.online/gate.php
https://fdsadjsadsdsa.online/gate.php
https://dlsafoslfskfsafad.online/gate.php
https://dsofkasfsakdsdsa.online/gate.php
https://dkjsjdsjdjasduiasida.online/gate.php
https://fqnvtmqsywublocpheas.ru/gate.php
https://fqnvtmqsywublocpheas.su/gate.php
https://fqnvtmqsywublocpheas.eu/gate.php
https://fqnvtmqsywublocpheas.net/gate.php
https://fqnvtmqsywublodscpheas.com/gate.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
Processes:
6095.exepid Process 1704 6095.exe -
Deletes itself 1 IoCs
Processes:
pid Process 2976 -
Loads dropped DLL 10 IoCs
Processes:
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exeregsvr32.exe6095.exepid Process 3024 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe 1588 regsvr32.exe 1704 6095.exe 1704 6095.exe 1704 6095.exe 1704 6095.exe 1704 6095.exe 1704 6095.exe 1704 6095.exe 1704 6095.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Iqpeelb = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Naworo\\ylka.dll" msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000100000001ad97-19.dat js -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid Process procid_target PID 1588 set thread context of 1292 1588 regsvr32.exe 82 -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 3804 timeout.exe -
Modifies data under HKEY_USERS 7 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 72745a10ff85d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = ce95574eff85d601 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 3a995a60ff85d601 svchost.exe -
Suspicious behavior: EnumeratesProcesses 2624 IoCs
Processes:
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exepid Process 3024 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe 3024 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 2976 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exepid Process 3024 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
svchost.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 500 svchost.exe Token: SeCreatePagefilePrivilege 500 svchost.exe Token: SeSecurityPrivilege 1292 msiexec.exe Token: SeSecurityPrivilege 1292 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
regsvr32.exe6095.execmd.exeregsvr32.exedescription pid Process procid_target PID 2976 wrote to memory of 1520 2976 76 PID 2976 wrote to memory of 1520 2976 76 PID 1520 wrote to memory of 1588 1520 regsvr32.exe 77 PID 1520 wrote to memory of 1588 1520 regsvr32.exe 77 PID 1520 wrote to memory of 1588 1520 regsvr32.exe 77 PID 2976 wrote to memory of 1704 2976 78 PID 2976 wrote to memory of 1704 2976 78 PID 2976 wrote to memory of 1704 2976 78 PID 1704 wrote to memory of 4040 1704 6095.exe 79 PID 1704 wrote to memory of 4040 1704 6095.exe 79 PID 1704 wrote to memory of 4040 1704 6095.exe 79 PID 4040 wrote to memory of 3804 4040 cmd.exe 81 PID 4040 wrote to memory of 3804 4040 cmd.exe 81 PID 4040 wrote to memory of 3804 4040 cmd.exe 81 PID 1588 wrote to memory of 1292 1588 regsvr32.exe 82 PID 1588 wrote to memory of 1292 1588 regsvr32.exe 82 PID 1588 wrote to memory of 1292 1588 regsvr32.exe 82 PID 1588 wrote to memory of 1292 1588 regsvr32.exe 82 PID 1588 wrote to memory of 1292 1588 regsvr32.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe"C:\Users\Admin\AppData\Local\Temp\23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:500
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5F5C.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\5F5C.dll2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
-
C:\Users\Admin\AppData\Local\Temp\6095.exeC:\Users\Admin\AppData\Local\Temp\6095.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6095.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:3804
-
-