Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
09-09-2020 12:25
Static task
static1
Behavioral task
behavioral1
Sample
dc475e00d9bc4e94ab1d528a5540e67d.exe
Resource
win7v200722
General
-
Target
dc475e00d9bc4e94ab1d528a5540e67d.exe
-
Size
371KB
-
MD5
dc475e00d9bc4e94ab1d528a5540e67d
-
SHA1
348dbddf7b7c0488f25afb5c8f0ec312f7813fee
-
SHA256
bc36c8d0ca400dd8e12f7d5af0569c24f549305697b46804fa700edf573884fb
-
SHA512
c992aa79f057e9169b259cabe3ede64fba606f7434e496cc0c910211a5f8ba0cb67784a6a14827bd67ceb3897156add1ce2a59a00cad8e9a24e24a210f118486
Malware Config
Extracted
lokibot
http://joovy.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Blacklisted process makes network request 8 IoCs
Processes:
cmd.exeflow pid process 12 2064 cmd.exe 13 2064 cmd.exe 14 2064 cmd.exe 16 2064 cmd.exe 18 2064 cmd.exe 20 2064 cmd.exe 22 2064 cmd.exe 28 2064 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
qzEKBW0.exepid process 1828 qzEKBW0.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1756 rundll32.exe 3356 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\q11u1w5557w19.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\q11u1w5557w19.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\q11u1w5557w19.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 2836 cmd.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\qzEKBW0.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\qzEKBW0.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\qzEKBW0.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\qzEKBW0.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\uninstall.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\uninstall.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 95904cc1a486d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E cmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c0000000100000004000000001000000f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd cmd.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exepid process 1756 rundll32.exe 3356 rundll32.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe 200 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
rundll32.exerundll32.execmd.exepid process 1756 rundll32.exe 3356 rundll32.exe 2836 cmd.exe 2836 cmd.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
svchost.execmd.execmd.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 1004 svchost.exe Token: SeCreatePagefilePrivilege 1004 svchost.exe Token: SeDebugPrivilege 2064 cmd.exe Token: SeDebugPrivilege 2836 cmd.exe Token: SeRestorePrivilege 2836 cmd.exe Token: SeBackupPrivilege 2836 cmd.exe Token: SeLoadDriverPrivilege 2836 cmd.exe Token: SeCreatePagefilePrivilege 2836 cmd.exe Token: SeShutdownPrivilege 2836 cmd.exe Token: SeTakeOwnershipPrivilege 2836 cmd.exe Token: SeChangeNotifyPrivilege 2836 cmd.exe Token: SeCreateTokenPrivilege 2836 cmd.exe Token: SeMachineAccountPrivilege 2836 cmd.exe Token: SeSecurityPrivilege 2836 cmd.exe Token: SeAssignPrimaryTokenPrivilege 2836 cmd.exe Token: SeCreateGlobalPrivilege 2836 cmd.exe Token: 33 2836 cmd.exe Token: SeDebugPrivilege 200 explorer.exe Token: SeRestorePrivilege 200 explorer.exe Token: SeBackupPrivilege 200 explorer.exe Token: SeLoadDriverPrivilege 200 explorer.exe Token: SeCreatePagefilePrivilege 200 explorer.exe Token: SeShutdownPrivilege 200 explorer.exe Token: SeTakeOwnershipPrivilege 200 explorer.exe Token: SeChangeNotifyPrivilege 200 explorer.exe Token: SeCreateTokenPrivilege 200 explorer.exe Token: SeMachineAccountPrivilege 200 explorer.exe Token: SeSecurityPrivilege 200 explorer.exe Token: SeAssignPrimaryTokenPrivilege 200 explorer.exe Token: SeCreateGlobalPrivilege 200 explorer.exe Token: 33 200 explorer.exe -
Suspicious use of WriteProcessMemory 172 IoCs
Processes:
dc475e00d9bc4e94ab1d528a5540e67d.exerundll32.exedescription pid process target process PID 4016 wrote to memory of 1756 4016 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 4016 wrote to memory of 1756 4016 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 4016 wrote to memory of 1756 4016 dc475e00d9bc4e94ab1d528a5540e67d.exe rundll32.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe PID 1756 wrote to memory of 2064 1756 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc475e00d9bc4e94ab1d528a5540e67d.exe"C:\Users\Admin\AppData\Local\Temp\dc475e00d9bc4e94ab1d528a5540e67d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe Draughtboard,Hurley2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blacklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\qzEKBW0.exe"C:\Users\Admin\AppData\Roaming\qzEKBW0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe KakaGemot,Hurley5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"6⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe7⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bagpipe
-
C:\Users\Admin\AppData\Local\Temp\Draughtboard.DLL
-
C:\Users\Admin\AppData\Local\Temp\Emphysema
-
C:\Users\Admin\AppData\Local\Temp\KakaGemot.DLL
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\70.opends60.dll
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\MicrosoftVisualJUpgradeEngineInterface.dll
-
C:\Users\Admin\AppData\Local\Temp\idea\openx\zope\u2lexch.dll
-
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2066881839-3229799743-3576549721-1000\0f5007522459c86e95ffcc62f32308f1_664a9041-4ac4-46f3-b3dc-87db4d57890e
-
C:\Users\Admin\AppData\Roaming\qzEKBW0.exe
-
C:\Users\Admin\AppData\Roaming\qzEKBW0.exe
-
\Users\Admin\AppData\Local\Temp\Draughtboard.dll
-
\Users\Admin\AppData\Local\Temp\KakaGemot.dll
-
memory/200-23-0x0000000000000000-mapping.dmp
-
memory/200-25-0x0000000001110000-0x0000000001550000-memory.dmpFilesize
4.2MB
-
memory/200-24-0x0000000001110000-0x0000000001550000-memory.dmpFilesize
4.2MB
-
memory/1756-0-0x0000000000000000-mapping.dmp
-
memory/1756-4-0x0000000005030000-0x00000000050D2000-memory.dmpFilesize
648KB
-
memory/1828-7-0x0000000000000000-mapping.dmp
-
memory/2064-6-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2064-5-0x0000000000000000-mapping.dmp
-
memory/2836-20-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2836-21-0x0000000004E10000-0x0000000004EB2000-memory.dmpFilesize
648KB
-
memory/2836-22-0x0000000005330000-0x0000000005770000-memory.dmpFilesize
4.2MB
-
memory/2836-19-0x0000000000000000-mapping.dmp
-
memory/3356-18-0x0000000004ED0000-0x0000000004F05000-memory.dmpFilesize
212KB
-
memory/3356-14-0x0000000000000000-mapping.dmp