Analysis
-
max time kernel
130s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-12-2020 14:58
Static task
static1
Behavioral task
behavioral1
Sample
f855a98d4367685b38e0c961627ef029.exe
Resource
win7v20201028
General
-
Target
f855a98d4367685b38e0c961627ef029.exe
-
Size
671KB
-
MD5
f855a98d4367685b38e0c961627ef029
-
SHA1
f111814ebf9950785a8e932627abfae9c3ec24ef
-
SHA256
37cb831726dc1877ea59cf5618e4fa224368bbd64a7047dec6fb554a6a17d4c2
-
SHA512
c3e295ac5f46c8400ebe9846eaddea93b06f4023cc36751654ae9ff73f4dc0e33510fbe4ef2ebf9ff24328ac316158b77560620ad6db8d4dc8791756b1e7386c
Malware Config
Extracted
danabot
1732
3
104.227.34.227:443
64.188.20.187:443
51.195.73.129:443
176.123.2.249:443
-
embedded_hash
6266E79288DFE2AE2C2DB47563C7F93A
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 5 IoCs
Processes:
WScript.exeRUNDLL32.EXEflow pid process 32 1492 WScript.exe 34 1492 WScript.exe 36 1492 WScript.exe 38 1492 WScript.exe 39 1204 RUNDLL32.EXE -
Executes dropped EXE 7 IoCs
Processes:
File2.exelvlar.exe4pla.exestartver.exeSmartClock.exeCL_Debug_Log.txtpvtxmasaa.exepid process 1092 File2.exe 3824 lvlar.exe 3052 4pla.exe 1608 startver.exe 1096 SmartClock.exe 200 CL_Debug_Log.txt 1332 pvtxmasaa.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
lvlar.exe4pla.exestartver.exeSmartClock.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lvlar.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lvlar.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4pla.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4pla.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion startver.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion startver.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SmartClock.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SmartClock.exe -
Drops startup file 1 IoCs
Processes:
4pla.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4pla.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
lvlar.exe4pla.exestartver.exeSmartClock.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine lvlar.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine 4pla.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine startver.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine SmartClock.exe -
Loads dropped DLL 5 IoCs
Processes:
File2.exerundll32.exeRUNDLL32.EXEpid process 1092 File2.exe 2124 rundll32.exe 2124 rundll32.exe 1204 RUNDLL32.EXE 1204 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
lvlar.exe4pla.exestartver.exeSmartClock.exepid process 3824 lvlar.exe 3052 4pla.exe 1608 startver.exe 1096 SmartClock.exe -
Drops file in Program Files directory 7 IoCs
Processes:
File2.exedescription ioc process File created C:\Program Files (x86)\solfer\4pla.exe File2.exe File created C:\Program Files (x86)\solfer\startver.exe File2.exe File created C:\Program Files (x86)\solfer\boleroh\msdasc.chm File2.exe File created C:\Program Files (x86)\solfer\boleroh\msorcl32.chm File2.exe File created C:\Program Files (x86)\solfer\boleroh\lvlar.exe File2.exe File created C:\Program Files (x86)\solfer\wiatrace.log File2.exe File created C:\Program Files (x86)\solfer\Microsoft.IdentityServer.Web.Resources.dll File2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lvlar.exeRUNDLL32.EXEf855a98d4367685b38e0c961627ef029.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString lvlar.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f855a98d4367685b38e0c961627ef029.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f855a98d4367685b38e0c961627ef029.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lvlar.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3820 timeout.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 1096 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
lvlar.exe4pla.exestartver.exeSmartClock.exepowershell.exeRUNDLL32.EXEpowershell.exepid process 3824 lvlar.exe 3824 lvlar.exe 3052 4pla.exe 3052 4pla.exe 1608 startver.exe 1608 startver.exe 1096 SmartClock.exe 1096 SmartClock.exe 3804 powershell.exe 3804 powershell.exe 3804 powershell.exe 1204 RUNDLL32.EXE 1204 RUNDLL32.EXE 3144 powershell.exe 3144 powershell.exe 3144 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
CL_Debug_Log.txtrundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 200 CL_Debug_Log.txt Token: 35 200 CL_Debug_Log.txt Token: SeSecurityPrivilege 200 CL_Debug_Log.txt Token: SeSecurityPrivilege 200 CL_Debug_Log.txt Token: SeDebugPrivilege 2124 rundll32.exe Token: SeDebugPrivilege 1204 RUNDLL32.EXE Token: SeDebugPrivilege 3804 powershell.exe Token: SeDebugPrivilege 3144 powershell.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
f855a98d4367685b38e0c961627ef029.exestartver.exeRUNDLL32.EXEpid process 3992 f855a98d4367685b38e0c961627ef029.exe 3992 f855a98d4367685b38e0c961627ef029.exe 1608 startver.exe 1608 startver.exe 1608 startver.exe 1204 RUNDLL32.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
startver.exepid process 1608 startver.exe 1608 startver.exe 1608 startver.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
f855a98d4367685b38e0c961627ef029.execmd.exeFile2.exe4pla.exestartver.execmd.exelvlar.execmd.exepvtxmasaa.exerundll32.execmd.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 3992 wrote to memory of 1092 3992 f855a98d4367685b38e0c961627ef029.exe File2.exe PID 3992 wrote to memory of 1092 3992 f855a98d4367685b38e0c961627ef029.exe File2.exe PID 3992 wrote to memory of 1092 3992 f855a98d4367685b38e0c961627ef029.exe File2.exe PID 3992 wrote to memory of 3708 3992 f855a98d4367685b38e0c961627ef029.exe cmd.exe PID 3992 wrote to memory of 3708 3992 f855a98d4367685b38e0c961627ef029.exe cmd.exe PID 3992 wrote to memory of 3708 3992 f855a98d4367685b38e0c961627ef029.exe cmd.exe PID 3708 wrote to memory of 3820 3708 cmd.exe timeout.exe PID 3708 wrote to memory of 3820 3708 cmd.exe timeout.exe PID 3708 wrote to memory of 3820 3708 cmd.exe timeout.exe PID 1092 wrote to memory of 3824 1092 File2.exe lvlar.exe PID 1092 wrote to memory of 3824 1092 File2.exe lvlar.exe PID 1092 wrote to memory of 3824 1092 File2.exe lvlar.exe PID 1092 wrote to memory of 3052 1092 File2.exe 4pla.exe PID 1092 wrote to memory of 3052 1092 File2.exe 4pla.exe PID 1092 wrote to memory of 3052 1092 File2.exe 4pla.exe PID 1092 wrote to memory of 1608 1092 File2.exe startver.exe PID 1092 wrote to memory of 1608 1092 File2.exe startver.exe PID 1092 wrote to memory of 1608 1092 File2.exe startver.exe PID 3052 wrote to memory of 1096 3052 4pla.exe SmartClock.exe PID 3052 wrote to memory of 1096 3052 4pla.exe SmartClock.exe PID 3052 wrote to memory of 1096 3052 4pla.exe SmartClock.exe PID 1608 wrote to memory of 200 1608 startver.exe CL_Debug_Log.txt PID 1608 wrote to memory of 200 1608 startver.exe CL_Debug_Log.txt PID 1608 wrote to memory of 200 1608 startver.exe CL_Debug_Log.txt PID 1608 wrote to memory of 3920 1608 startver.exe cmd.exe PID 1608 wrote to memory of 3920 1608 startver.exe cmd.exe PID 1608 wrote to memory of 3920 1608 startver.exe cmd.exe PID 3920 wrote to memory of 2144 3920 cmd.exe schtasks.exe PID 3920 wrote to memory of 2144 3920 cmd.exe schtasks.exe PID 3920 wrote to memory of 2144 3920 cmd.exe schtasks.exe PID 3824 wrote to memory of 2216 3824 lvlar.exe cmd.exe PID 3824 wrote to memory of 2216 3824 lvlar.exe cmd.exe PID 3824 wrote to memory of 2216 3824 lvlar.exe cmd.exe PID 2216 wrote to memory of 1332 2216 cmd.exe pvtxmasaa.exe PID 2216 wrote to memory of 1332 2216 cmd.exe pvtxmasaa.exe PID 2216 wrote to memory of 1332 2216 cmd.exe pvtxmasaa.exe PID 1332 wrote to memory of 2124 1332 pvtxmasaa.exe rundll32.exe PID 1332 wrote to memory of 2124 1332 pvtxmasaa.exe rundll32.exe PID 1332 wrote to memory of 2124 1332 pvtxmasaa.exe rundll32.exe PID 2124 wrote to memory of 1204 2124 rundll32.exe RUNDLL32.EXE PID 2124 wrote to memory of 1204 2124 rundll32.exe RUNDLL32.EXE PID 2124 wrote to memory of 1204 2124 rundll32.exe RUNDLL32.EXE PID 3824 wrote to memory of 1728 3824 lvlar.exe cmd.exe PID 3824 wrote to memory of 1728 3824 lvlar.exe cmd.exe PID 3824 wrote to memory of 1728 3824 lvlar.exe cmd.exe PID 1728 wrote to memory of 1492 1728 cmd.exe WScript.exe PID 1728 wrote to memory of 1492 1728 cmd.exe WScript.exe PID 1728 wrote to memory of 1492 1728 cmd.exe WScript.exe PID 1204 wrote to memory of 3804 1204 RUNDLL32.EXE powershell.exe PID 1204 wrote to memory of 3804 1204 RUNDLL32.EXE powershell.exe PID 1204 wrote to memory of 3804 1204 RUNDLL32.EXE powershell.exe PID 1204 wrote to memory of 3144 1204 RUNDLL32.EXE powershell.exe PID 1204 wrote to memory of 3144 1204 RUNDLL32.EXE powershell.exe PID 1204 wrote to memory of 3144 1204 RUNDLL32.EXE powershell.exe PID 3144 wrote to memory of 1904 3144 powershell.exe nslookup.exe PID 3144 wrote to memory of 1904 3144 powershell.exe nslookup.exe PID 3144 wrote to memory of 1904 3144 powershell.exe nslookup.exe PID 1204 wrote to memory of 2712 1204 RUNDLL32.EXE schtasks.exe PID 1204 wrote to memory of 2712 1204 RUNDLL32.EXE schtasks.exe PID 1204 wrote to memory of 2712 1204 RUNDLL32.EXE schtasks.exe PID 1204 wrote to memory of 2188 1204 RUNDLL32.EXE schtasks.exe PID 1204 wrote to memory of 2188 1204 RUNDLL32.EXE schtasks.exe PID 1204 wrote to memory of 2188 1204 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe"C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File2.exe"C:\Users\Admin\AppData\Local\Temp\File2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\solfer\boleroh\lvlar.exe"C:\Program Files (x86)\solfer\boleroh\lvlar.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe"C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\PVTXMA~1.EXE6⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL,LycILDZIBeQ=7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2BA5.tmp.ps1"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3F3E.tmp.ps1"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\hpjrsgjgcc.vbs"4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hpjrsgjgcc.vbs"5⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Program Files (x86)\solfer\4pla.exe"C:\Program Files (x86)\solfer\4pla.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\solfer\startver.exe"C:\Program Files (x86)\solfer\startver.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\solfer\4pla.exe
-
C:\Program Files (x86)\solfer\4pla.exe
-
C:\Program Files (x86)\solfer\boleroh\lvlar.exe
-
C:\Program Files (x86)\solfer\boleroh\lvlar.exe
-
C:\Program Files (x86)\solfer\startver.exe
-
C:\Program Files (x86)\solfer\startver.exe
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\32.exe
-
C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\EPSVCW~1.ZIP
-
C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\PYY0S8~1.ZIP
-
C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\_Files\_INFOR~1.TXT
-
C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\_Files\_SCREE~1.JPE
-
C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\files_\SCREEN~1.JPG
-
C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\files_\SYSTEM~1.TXT
-
C:\Users\Admin\AppData\Local\Temp\64.exe
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
-
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
-
C:\Users\Admin\AppData\Local\Temp\File2.exe
-
C:\Users\Admin\AppData\Local\Temp\File2.exe
-
C:\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
-
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
-
C:\Users\Admin\AppData\Local\Temp\hpjrsgjgcc.vbs
-
C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe
-
C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe
-
C:\Users\Admin\AppData\Local\Temp\tmp2BA5.tmp.ps1
-
C:\Users\Admin\AppData\Local\Temp\tmp2BA6.tmp
-
C:\Users\Admin\AppData\Local\Temp\tmp3F3E.tmp.ps1
-
C:\Users\Admin\AppData\Local\Temp\tmp3F3F.tmp
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
-
\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
-
\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
-
\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
-
\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
-
\Users\Admin\AppData\Local\Temp\nsk790F.tmp\UAC.dll
-
memory/200-41-0x0000000000000000-mapping.dmp
-
memory/1092-7-0x0000000000000000-mapping.dmp
-
memory/1096-39-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/1096-38-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/1096-35-0x0000000000000000-mapping.dmp
-
memory/1096-40-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/1204-64-0x0000000004D70000-0x00000000053D0000-memory.dmpFilesize
6.4MB
-
memory/1204-102-0x0000000006670000-0x0000000006671000-memory.dmpFilesize
4KB
-
memory/1204-60-0x0000000000000000-mapping.dmp
-
memory/1332-51-0x0000000000000000-mapping.dmp
-
memory/1332-54-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/1332-50-0x0000000000000000-mapping.dmp
-
memory/1492-66-0x0000000000000000-mapping.dmp
-
memory/1608-33-0x000000000BA50000-0x000000000BA51000-memory.dmpFilesize
4KB
-
memory/1608-32-0x000000000B250000-0x000000000B251000-memory.dmpFilesize
4KB
-
memory/1608-25-0x0000000000000000-mapping.dmp
-
memory/1728-61-0x0000000000000000-mapping.dmp
-
memory/1904-100-0x0000000000000000-mapping.dmp
-
memory/2124-59-0x0000000004C40000-0x00000000052A0000-memory.dmpFilesize
6.4MB
-
memory/2124-55-0x0000000000000000-mapping.dmp
-
memory/2144-46-0x0000000000000000-mapping.dmp
-
memory/2188-105-0x0000000000000000-mapping.dmp
-
memory/2216-49-0x0000000000000000-mapping.dmp
-
memory/2712-104-0x0000000000000000-mapping.dmp
-
memory/3052-21-0x0000000000000000-mapping.dmp
-
memory/3052-30-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/3052-31-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/3144-95-0x0000000008250000-0x0000000008251000-memory.dmpFilesize
4KB
-
memory/3144-92-0x0000000007DA0000-0x0000000007DA1000-memory.dmpFilesize
4KB
-
memory/3144-86-0x00000000709C0000-0x00000000710AE000-memory.dmpFilesize
6.9MB
-
memory/3144-84-0x0000000000000000-mapping.dmp
-
memory/3708-10-0x0000000000000000-mapping.dmp
-
memory/3804-73-0x00000000075B0000-0x00000000075B1000-memory.dmpFilesize
4KB
-
memory/3804-71-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/3804-77-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/3804-75-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/3804-79-0x0000000008100000-0x0000000008101000-memory.dmpFilesize
4KB
-
memory/3804-80-0x0000000009750000-0x0000000009751000-memory.dmpFilesize
4KB
-
memory/3804-81-0x0000000008CE0000-0x0000000008CE1000-memory.dmpFilesize
4KB
-
memory/3804-82-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/3804-74-0x0000000007800000-0x0000000007801000-memory.dmpFilesize
4KB
-
memory/3804-67-0x0000000000000000-mapping.dmp
-
memory/3804-72-0x0000000007690000-0x0000000007691000-memory.dmpFilesize
4KB
-
memory/3804-76-0x00000000080A0000-0x00000000080A1000-memory.dmpFilesize
4KB
-
memory/3804-70-0x0000000006E70000-0x0000000006E71000-memory.dmpFilesize
4KB
-
memory/3804-69-0x0000000004480000-0x0000000004481000-memory.dmpFilesize
4KB
-
memory/3804-68-0x0000000070FA0000-0x000000007168E000-memory.dmpFilesize
6.9MB
-
memory/3820-18-0x0000000000000000-mapping.dmp
-
memory/3824-29-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/3824-28-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/3824-19-0x0000000000000000-mapping.dmp
-
memory/3920-45-0x0000000000000000-mapping.dmp
-
memory/3992-2-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB