smokeloader | 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b

Target

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
Size

154KB
MD5

91879bdd73625ac38c31fe5225310e92
SHA1

a007b979483ee6b57b93a11340932a60f5781570
SHA256

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b
SHA512

22678f18385ed177ed34cac52fc8667c6d6cdc2953b1818a6e530411894aa6947b04408320137af8ebd5b1d6d733f374a1d962608e0e6c234e5a43b89fe9de3c

Score

10^/10

ransomware spyware trojan backdoor smokeloader stealer raccoon botnet zloader discovery

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.09.08 - 16:53:35 GMT Bot_ID: BAE8C589-5DA1-4C62-BE46-F8D74908CB8C_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 0 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: AVGLFESB - Username: Admin - Windows version: NT 6.1 - Product name: Windows 7 Professional - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 2047 MB (444 MB used) - Screen resolution: 1280x720 - Display devices: 0) Standard VGA Graphics Adapter ============

Extracted

Family

smokeloader

Version

2020

http://dkajsdjiqwdwnfj.info/

http://2831ujedkdajsdj.info/

http://928eijdksasnfss.info/

https://dkajsdjiqwdwnfj.info/

https://2831ujedkdajsdj.info/

https://928eijdksasnfss.info/

rc4.i32

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

02.09.2020

https://fsakfkdsajdajskjajs.online/gate.php

https://fdsadjsadsdsa.online/gate.php

https://dlsafoslfskfsafad.online/gate.php

https://dsofkasfsakdsdsa.online/gate.php

https://dkjsjdsjdjasduiasida.online/gate.php

https://fqnvtmqsywublocpheas.ru/gate.php

https://fqnvtmqsywublocpheas.su/gate.php

https://fqnvtmqsywublocpheas.eu/gate.php

https://fqnvtmqsywublocpheas.net/gate.php

https://fqnvtmqsywublodscpheas.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon log file 1 IoCs

Detects a log file produced by the Raccoon Stealer.

yara_rule
raccoon_log_file

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Executes dropped EXE 1 IoCs

pid	Process
640	7927.exe

Deletes itself 1 IoCs

pid	Process
1292	Process not Found

Loads dropped DLL 10 IoCs

pid	Process
900	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
924	regsvr32.exe
640	7927.exe
640	7927.exe
640	7927.exe
640	7927.exe
640	7927.exe
640	7927.exe
640	7927.exe
640	7927.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00030000000131a9-17.dat	js

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1940	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found

Modifies registry class 78 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616193"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Rev = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f806d7a8722a1371a4691b0dbda5aaebc990000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupView = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616209"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	7927.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7927.exe

Suspicious behavior: EnumeratesProcesses 770 IoCs

pid	Process
900	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
900	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
900	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1292	Process not Found
Token: 33	1092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1092	AUDIODG.EXE
Token: 33	1092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1092	AUDIODG.EXE
Token: SeShutdownPrivilege	1292	Process not Found
Token: SeShutdownPrivilege	1292	Process not Found
Token: SeShutdownPrivilege	1292	Process not Found

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1292	Process not Found
1292	Process not Found
1292	Process not Found
1292	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1292	Process not Found
1292	Process not Found

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1944	1292	Process not Found	28
PID 1292 wrote to memory of 1944	1292	Process not Found	28
PID 1292 wrote to memory of 1944	1292	Process not Found	28
PID 1292 wrote to memory of 600	1292	Process not Found	31
PID 1292 wrote to memory of 600	1292	Process not Found	31
PID 1292 wrote to memory of 600	1292	Process not Found	31
PID 1292 wrote to memory of 600	1292	Process not Found	31
PID 1292 wrote to memory of 600	1292	Process not Found	31
PID 600 wrote to memory of 924	600	regsvr32.exe	32
PID 600 wrote to memory of 924	600	regsvr32.exe	32
PID 600 wrote to memory of 924	600	regsvr32.exe	32
PID 600 wrote to memory of 924	600	regsvr32.exe	32
PID 600 wrote to memory of 924	600	regsvr32.exe	32
PID 600 wrote to memory of 924	600	regsvr32.exe	32
PID 600 wrote to memory of 924	600	regsvr32.exe	32
PID 1292 wrote to memory of 640	1292	Process not Found	33
PID 1292 wrote to memory of 640	1292	Process not Found	33
PID 1292 wrote to memory of 640	1292	Process not Found	33
PID 1292 wrote to memory of 640	1292	Process not Found	33
PID 640 wrote to memory of 1452	640	7927.exe	36
PID 640 wrote to memory of 1452	640	7927.exe	36
PID 640 wrote to memory of 1452	640	7927.exe	36
PID 640 wrote to memory of 1452	640	7927.exe	36
PID 1452 wrote to memory of 1940	1452	cmd.exe	38
PID 1452 wrote to memory of 1940	1452	cmd.exe	38
PID 1452 wrote to memory of 1940	1452	cmd.exe	38
PID 1452 wrote to memory of 1940	1452	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
"C:\Users\Admin\AppData\Local\Temp\23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:900

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\77EE.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\77EE.dll
  2⤵
  - Loads dropped DLL
  PID:924

C:\Users\Admin\AppData\Local\Temp\7927.exe
C:\Users\Admin\AppData\Local\Temp\7927.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7927.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-12-0x0000000007620000-0x0000000007631000-memory.dmp

Filesize
68KB

Download
memory/640-11-0x0000000005F7B000-0x0000000005F7C000-memory.dmp

Filesize
4KB

Download
memory/900-1-0x0000000000AE0000-0x0000000000AF1000-memory.dmp

Filesize
68KB

Download
memory/900-0-0x0000000000309000-0x000000000030A000-memory.dmp

Filesize
4KB

Download
memory/1028-13-0x000007FEF70B0000-0x000007FEF732A000-memory.dmp

Filesize
2.5MB

Download
memory/1292-3-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download