Analysis
-
max time kernel
151s -
max time network
99s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 17:28
Static task
static1
Behavioral task
behavioral1
Sample
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe
Resource
win10v20210408
General
-
Target
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe
-
Size
287KB
-
MD5
7db925ca083865c068baed7947c2b4a1
-
SHA1
d8e12bfbb94aa19360ee64198c55127fa3f961cb
-
SHA256
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b
-
SHA512
7605409d310d462d85414145d25470140177434d20daaf7a2850c11fc58915ad6324f1f22a4a6f34d39e8bc192224f71dd1c68a52a795e7df2e5f1a56071005a
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Extracted
redline
545
147.124.212.128:45499
Extracted
raccoon
f6d7183c9e82d2a9b81e6c0608450aa66cefb51f
-
url4cnc
https://t.me/justoprostohello
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2192-150-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2192-151-0x000000000041C5DA-mapping.dmp family_redline behavioral1/memory/4000-764-0x000000000041933E-mapping.dmp family_redline -
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
DDF7.exeE153.exeE51D.exeEA9C.exeE153.exevk9oMUe37A.exeEA9C.exesihost.exertsgwrtrtsgwrtpid process 2100 DDF7.exe 2472 E153.exe 2724 E51D.exe 3956 EA9C.exe 2192 E153.exe 3800 vk9oMUe37A.exe 4000 EA9C.exe 1160 sihost.exe 2304 rtsgwrt 3192 rtsgwrt -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 3024 -
Loads dropped DLL 6 IoCs
Processes:
E51D.exepid process 2724 E51D.exe 2724 E51D.exe 2724 E51D.exe 2724 E51D.exe 2724 E51D.exe 2724 E51D.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exeE153.exeEA9C.exertsgwrtdescription pid process target process PID 664 set thread context of 888 664 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe PID 2472 set thread context of 2192 2472 E153.exe E153.exe PID 3956 set thread context of 4000 3956 EA9C.exe EA9C.exe PID 2304 set thread context of 3192 2304 rtsgwrt rtsgwrt -
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3268 2472 WerFault.exe E153.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exertsgwrtdescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rtsgwrt Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rtsgwrt Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rtsgwrt Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3848 timeout.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exepid process 888 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 888 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3024 -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 612 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exertsgwrtpid process 888 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 3192 rtsgwrt -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
E153.exeWerFault.exepowershell.exeE153.exepowershell.exepowershell.exepowershell.exeEA9C.exedescription pid process Token: SeDebugPrivilege 2472 E153.exe Token: SeRestorePrivilege 3268 WerFault.exe Token: SeBackupPrivilege 3268 WerFault.exe Token: SeDebugPrivilege 3268 WerFault.exe Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeDebugPrivilege 3528 powershell.exe Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeDebugPrivilege 2192 E153.exe Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeDebugPrivilege 2696 powershell.exe Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeDebugPrivilege 2644 powershell.exe Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 4000 EA9C.exe Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
pid process 3024 3024 3024 3024 3024 3024 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3024 3024 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exeE153.exeDDF7.exepowershell.execsc.exeE51D.execmd.exevk9oMUe37A.exedescription pid process target process PID 664 wrote to memory of 888 664 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe PID 664 wrote to memory of 888 664 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe PID 664 wrote to memory of 888 664 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe PID 664 wrote to memory of 888 664 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe PID 664 wrote to memory of 888 664 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe PID 664 wrote to memory of 888 664 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe PID 3024 wrote to memory of 2100 3024 DDF7.exe PID 3024 wrote to memory of 2100 3024 DDF7.exe PID 3024 wrote to memory of 2100 3024 DDF7.exe PID 3024 wrote to memory of 2472 3024 E153.exe PID 3024 wrote to memory of 2472 3024 E153.exe PID 3024 wrote to memory of 2472 3024 E153.exe PID 3024 wrote to memory of 2724 3024 E51D.exe PID 3024 wrote to memory of 2724 3024 E51D.exe PID 3024 wrote to memory of 2724 3024 E51D.exe PID 3024 wrote to memory of 3956 3024 EA9C.exe PID 3024 wrote to memory of 3956 3024 EA9C.exe PID 3024 wrote to memory of 3956 3024 EA9C.exe PID 2472 wrote to memory of 3936 2472 E153.exe E153.exe PID 2472 wrote to memory of 3936 2472 E153.exe E153.exe PID 2472 wrote to memory of 3936 2472 E153.exe E153.exe PID 2472 wrote to memory of 3008 2472 E153.exe E153.exe PID 2472 wrote to memory of 3008 2472 E153.exe E153.exe PID 2472 wrote to memory of 3008 2472 E153.exe E153.exe PID 2472 wrote to memory of 3236 2472 E153.exe E153.exe PID 2472 wrote to memory of 3236 2472 E153.exe E153.exe PID 2472 wrote to memory of 3236 2472 E153.exe E153.exe PID 2472 wrote to memory of 2192 2472 E153.exe E153.exe PID 2472 wrote to memory of 2192 2472 E153.exe E153.exe PID 2472 wrote to memory of 2192 2472 E153.exe E153.exe PID 2472 wrote to memory of 2192 2472 E153.exe E153.exe PID 2472 wrote to memory of 2192 2472 E153.exe E153.exe PID 2472 wrote to memory of 2192 2472 E153.exe E153.exe PID 2472 wrote to memory of 2192 2472 E153.exe E153.exe PID 2472 wrote to memory of 2192 2472 E153.exe E153.exe PID 2100 wrote to memory of 3528 2100 DDF7.exe powershell.exe PID 2100 wrote to memory of 3528 2100 DDF7.exe powershell.exe PID 2100 wrote to memory of 3528 2100 DDF7.exe powershell.exe PID 3528 wrote to memory of 3868 3528 powershell.exe csc.exe PID 3528 wrote to memory of 3868 3528 powershell.exe csc.exe PID 3528 wrote to memory of 3868 3528 powershell.exe csc.exe PID 3868 wrote to memory of 3964 3868 csc.exe cvtres.exe PID 3868 wrote to memory of 3964 3868 csc.exe cvtres.exe PID 3868 wrote to memory of 3964 3868 csc.exe cvtres.exe PID 2724 wrote to memory of 3800 2724 E51D.exe vk9oMUe37A.exe PID 2724 wrote to memory of 3800 2724 E51D.exe vk9oMUe37A.exe PID 2724 wrote to memory of 3800 2724 E51D.exe vk9oMUe37A.exe PID 2724 wrote to memory of 2900 2724 E51D.exe cmd.exe PID 2724 wrote to memory of 2900 2724 E51D.exe cmd.exe PID 2724 wrote to memory of 2900 2724 E51D.exe cmd.exe PID 2900 wrote to memory of 3848 2900 cmd.exe timeout.exe PID 2900 wrote to memory of 3848 2900 cmd.exe timeout.exe PID 2900 wrote to memory of 3848 2900 cmd.exe timeout.exe PID 3800 wrote to memory of 424 3800 vk9oMUe37A.exe schtasks.exe PID 3800 wrote to memory of 424 3800 vk9oMUe37A.exe schtasks.exe PID 3800 wrote to memory of 424 3800 vk9oMUe37A.exe schtasks.exe PID 3528 wrote to memory of 2696 3528 powershell.exe powershell.exe PID 3528 wrote to memory of 2696 3528 powershell.exe powershell.exe PID 3528 wrote to memory of 2696 3528 powershell.exe powershell.exe PID 3528 wrote to memory of 2644 3528 powershell.exe powershell.exe PID 3528 wrote to memory of 2644 3528 powershell.exe powershell.exe PID 3528 wrote to memory of 2644 3528 powershell.exe powershell.exe PID 3528 wrote to memory of 3192 3528 powershell.exe powershell.exe PID 3528 wrote to memory of 3192 3528 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe"C:\Users\Admin\AppData\Local\Temp\39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Local\Temp\39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe"C:\Users\Admin\AppData\Local\Temp\39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:888
-
C:\Users\Admin\AppData\Local\Temp\DDF7.exeC:\Users\Admin\AppData\Local\Temp\DDF7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hmfwopc3\hmfwopc3.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C36.tmp" "c:\Users\Admin\AppData\Local\Temp\hmfwopc3\CSCE6982F71AF524AC3A2F8C15B4174F258.TMP"4⤵PID:3964
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:892
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1192 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:2940
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵PID:4000
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1336
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵PID:1960
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵PID:3788
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵PID:964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2168
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:412
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵PID:3112
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵PID:3380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:4016
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:412
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\E153.exeC:\Users\Admin\AppData\Local\Temp\E153.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\E153.exe"C:\Users\Admin\AppData\Local\Temp\E153.exe"2⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\E153.exe"C:\Users\Admin\AppData\Local\Temp\E153.exe"2⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\E153.exe"C:\Users\Admin\AppData\Local\Temp\E153.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\E153.exe"C:\Users\Admin\AppData\Local\Temp\E153.exe"2⤵PID:3236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 9482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
C:\Users\Admin\AppData\Local\Temp\E51D.exeC:\Users\Admin\AppData\Local\Temp\E51D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\vk9oMUe37A.exe"C:\Users\Admin\AppData\Local\Temp\vk9oMUe37A.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"3⤵
- Creates scheduled task(s)
PID:424 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\E51D.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:3848
-
C:\Users\Admin\AppData\Local\Temp\EA9C.exeC:\Users\Admin\AppData\Local\Temp\EA9C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\EA9C.exe"C:\Users\Admin\AppData\Local\Temp\EA9C.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
PID:1328
-
C:\Users\Admin\AppData\Roaming\rtsgwrtC:\Users\Admin\AppData\Roaming\rtsgwrt1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2304 -
C:\Users\Admin\AppData\Roaming\rtsgwrtC:\Users\Admin\AppData\Roaming\rtsgwrt2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
MD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
MD5
90016ecad97ba699b5c10829b6f5e192
SHA12850da5bc078de19f2bbb074bacb831a79dcbd8a
SHA256bf75c5d542560ffdc9ba7014234b2eca31e0430fab759c105df26cd12633c2cb
SHA512cc8ee80b561661b33300450ad30e4c6d7d796ee139c949dcd44af6d58f7d584de2679585580ea6a366176c02ac1ada3d138423cf8fa44c7f067e0ac356ba360e
-
MD5
90016ecad97ba699b5c10829b6f5e192
SHA12850da5bc078de19f2bbb074bacb831a79dcbd8a
SHA256bf75c5d542560ffdc9ba7014234b2eca31e0430fab759c105df26cd12633c2cb
SHA512cc8ee80b561661b33300450ad30e4c6d7d796ee139c949dcd44af6d58f7d584de2679585580ea6a366176c02ac1ada3d138423cf8fa44c7f067e0ac356ba360e
-
MD5
973324d021eb04b93bb36bd271e4740a
SHA1c4cfa55aca1d6fbb09677641814aa8a3195caf96
SHA2569d31320edc43c1abd2a9682a05774b976405e98ac7b54dec7953114d5221bd51
SHA5121de182dfec12e56ffe8585986324fd116e6535f355c2b7e7659095ba150708986a9a5c12b69d1db6553d71ddbef9448a43a71781b3431ef90d39602b06dcfe96
-
MD5
973324d021eb04b93bb36bd271e4740a
SHA1c4cfa55aca1d6fbb09677641814aa8a3195caf96
SHA2569d31320edc43c1abd2a9682a05774b976405e98ac7b54dec7953114d5221bd51
SHA5121de182dfec12e56ffe8585986324fd116e6535f355c2b7e7659095ba150708986a9a5c12b69d1db6553d71ddbef9448a43a71781b3431ef90d39602b06dcfe96
-
MD5
973324d021eb04b93bb36bd271e4740a
SHA1c4cfa55aca1d6fbb09677641814aa8a3195caf96
SHA2569d31320edc43c1abd2a9682a05774b976405e98ac7b54dec7953114d5221bd51
SHA5121de182dfec12e56ffe8585986324fd116e6535f355c2b7e7659095ba150708986a9a5c12b69d1db6553d71ddbef9448a43a71781b3431ef90d39602b06dcfe96
-
MD5
39ec7803f3cd760d54d6d3cbe0a7b160
SHA15ac0c0a050b745c4cc3ba3f9d53f93c37ef80ac0
SHA256eab24792dab240e0d89ca4b02f2fb1a62fe780771baac5d447fcbf73a0f6e525
SHA51240a57cf9b2870b0efa5851772b31c0a3a11a7416e407e0658ecbce1801a17b0d27dc36944e5562bf1b074ade9c10879841b6fa9bc6630135007510cd97324b8d
-
MD5
39ec7803f3cd760d54d6d3cbe0a7b160
SHA15ac0c0a050b745c4cc3ba3f9d53f93c37ef80ac0
SHA256eab24792dab240e0d89ca4b02f2fb1a62fe780771baac5d447fcbf73a0f6e525
SHA51240a57cf9b2870b0efa5851772b31c0a3a11a7416e407e0658ecbce1801a17b0d27dc36944e5562bf1b074ade9c10879841b6fa9bc6630135007510cd97324b8d
-
MD5
6ee2375aace01c21a41dc6fd0977eba3
SHA150b633f7c67e77df751d5653de9f457a8212dc5c
SHA256c706df1a29b23ffe6175eaab8b6634121bf65935fe4ae5705156f946ff00ea06
SHA5127b7e2d0db25d167f6da119241253dc6a66fc113fdeda120e554f19b871826554b64255f6f7e8a0fb21bbd5a49e6919a884c693b372c9e59f3310c188e83eeabc
-
MD5
6ee2375aace01c21a41dc6fd0977eba3
SHA150b633f7c67e77df751d5653de9f457a8212dc5c
SHA256c706df1a29b23ffe6175eaab8b6634121bf65935fe4ae5705156f946ff00ea06
SHA5127b7e2d0db25d167f6da119241253dc6a66fc113fdeda120e554f19b871826554b64255f6f7e8a0fb21bbd5a49e6919a884c693b372c9e59f3310c188e83eeabc
-
MD5
6ee2375aace01c21a41dc6fd0977eba3
SHA150b633f7c67e77df751d5653de9f457a8212dc5c
SHA256c706df1a29b23ffe6175eaab8b6634121bf65935fe4ae5705156f946ff00ea06
SHA5127b7e2d0db25d167f6da119241253dc6a66fc113fdeda120e554f19b871826554b64255f6f7e8a0fb21bbd5a49e6919a884c693b372c9e59f3310c188e83eeabc
-
MD5
65e7a168de83fcefc6b9959c556bb003
SHA1142d54f4352d449a6d8653a432904fbb104dbe59
SHA2560cd7fe1b68901275703eef25dc62a776895f4e28aa219f53c4401d5a8902241b
SHA51210fa611b6313e92b23c110434da59be4be2da99d4b75185a0a19064613ae238f478e04585c8c1f994d33382dc3d2c319232a7a12c35aeb6492cb7c7018c163df
-
MD5
794bf0ae26a7efb0c516cf4a7692c501
SHA1c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA25697753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA51220c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75
-
MD5
fffd5bba4fe356e8b261cde7667460b2
SHA15d94a7574abd43ab796c9b84994292d36d0c3b3d
SHA256021fdfb622c46546ba9d10b2245e5681b397c5ed959584aa873480b49b7e11e8
SHA512df3539a574423c9091030a6203df66931a514d49301354037a3a76a5cb524a310208048d5fdf1dc28a82e67f914bd276c94cd73f290341712b984da80acf2f2f
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
14819b0d90723ef3154d3c415e5d8d58
SHA100d5ccdf3fad4919ed9d74ec7cab92d842d9e5ec
SHA25642ef09ed55268055e4e1335cc34a060f7f66b52867977518707b59c99748529a
SHA5123700dfe32f2d94171fff895ecfe3c534e6bf3a70a45299579aa9b653dfabd14cca355eb6ea014f6e94eb8152f2a18c478f8a84233d1d8ff54d3d7fa20216652e
-
MD5
14819b0d90723ef3154d3c415e5d8d58
SHA100d5ccdf3fad4919ed9d74ec7cab92d842d9e5ec
SHA25642ef09ed55268055e4e1335cc34a060f7f66b52867977518707b59c99748529a
SHA5123700dfe32f2d94171fff895ecfe3c534e6bf3a70a45299579aa9b653dfabd14cca355eb6ea014f6e94eb8152f2a18c478f8a84233d1d8ff54d3d7fa20216652e
-
MD5
14819b0d90723ef3154d3c415e5d8d58
SHA100d5ccdf3fad4919ed9d74ec7cab92d842d9e5ec
SHA25642ef09ed55268055e4e1335cc34a060f7f66b52867977518707b59c99748529a
SHA5123700dfe32f2d94171fff895ecfe3c534e6bf3a70a45299579aa9b653dfabd14cca355eb6ea014f6e94eb8152f2a18c478f8a84233d1d8ff54d3d7fa20216652e
-
MD5
14819b0d90723ef3154d3c415e5d8d58
SHA100d5ccdf3fad4919ed9d74ec7cab92d842d9e5ec
SHA25642ef09ed55268055e4e1335cc34a060f7f66b52867977518707b59c99748529a
SHA5123700dfe32f2d94171fff895ecfe3c534e6bf3a70a45299579aa9b653dfabd14cca355eb6ea014f6e94eb8152f2a18c478f8a84233d1d8ff54d3d7fa20216652e
-
MD5
7db925ca083865c068baed7947c2b4a1
SHA1d8e12bfbb94aa19360ee64198c55127fa3f961cb
SHA25639f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b
SHA5127605409d310d462d85414145d25470140177434d20daaf7a2850c11fc58915ad6324f1f22a4a6f34d39e8bc192224f71dd1c68a52a795e7df2e5f1a56071005a
-
MD5
7db925ca083865c068baed7947c2b4a1
SHA1d8e12bfbb94aa19360ee64198c55127fa3f961cb
SHA25639f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b
SHA5127605409d310d462d85414145d25470140177434d20daaf7a2850c11fc58915ad6324f1f22a4a6f34d39e8bc192224f71dd1c68a52a795e7df2e5f1a56071005a
-
MD5
7db925ca083865c068baed7947c2b4a1
SHA1d8e12bfbb94aa19360ee64198c55127fa3f961cb
SHA25639f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b
SHA5127605409d310d462d85414145d25470140177434d20daaf7a2850c11fc58915ad6324f1f22a4a6f34d39e8bc192224f71dd1c68a52a795e7df2e5f1a56071005a
-
MD5
a031b7dea25db888b94eb16d41e9d95c
SHA18173b35273188b6d4609d0567464ea13b2bb0c56
SHA256cb60586e1c9859f1842716a15ce1c2300242dd4b5947d7d401ce8be49eaca3b7
SHA5128484ec6418dd53e9a55444db2e00b11c118343781209d02cb14e8a71127d5c61a8bae125e2a1810e69d29085b372e46582226e5696d2bdd41003bd07e06bd701
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
0625a3e0896e210ba2386270a073b521
SHA1e47c7de96717f5f36b1a39b3610bdd97a7a56f39
SHA256a874d8e73f0cb78343d57d7157f04c5e54f73a559a46263432c3e837e784e81d
SHA5120067fcb71563cf87891307eeea7d6edd76f22e904a49fd5dbb0f972810b5dcb8393e5a66420e5dd452a11c8680dc3cdcd020d785d96dfad168c4f87aa08e9a53
-
MD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
MD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
MD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
MD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
MD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
MD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6