Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-10-2021 10:55
Static task
static1
Behavioral task
behavioral1
Sample
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
Resource
win10-en-20210920
General
-
Target
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
-
Size
335KB
-
MD5
1d747430b83501fef39cae62935452cb
-
SHA1
3f39d8c08b5d559eacdaea84ae67bea27a5692bb
-
SHA256
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
-
SHA512
56b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2
Malware Config
Extracted
smokeloader
2020
http://xacokuo8.top/
http://hajezey1.top/
Extracted
raccoon
7ebf9b416b72a203df65383eec899dc689d2c3d7
-
url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 2364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 2364 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/648-141-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/648-142-0x0000000000418D06-mapping.dmp family_redline behavioral1/memory/648-152-0x0000000005470000-0x0000000005A76000-memory.dmp family_redline behavioral1/memory/1376-153-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1376-154-0x0000000000418D2A-mapping.dmp family_redline behavioral1/memory/1376-164-0x0000000004C60000-0x0000000005266000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 588 created 5020 588 WerFault.exe D4C4.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
398A.exe398A.exe53CA.exe5F16.exe53CA.exe5F16.exeD4C4.exe952.exeSppExtComObj.exepid process 3164 398A.exe 3784 398A.exe 4052 53CA.exe 808 5F16.exe 648 53CA.exe 1376 5F16.exe 5020 D4C4.exe 1252 952.exe 4144 SppExtComObj.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
952.exeSppExtComObj.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 952.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 952.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SppExtComObj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SppExtComObj.exe -
Deletes itself 1 IoCs
Processes:
pid process 3020 -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
952.exeSppExtComObj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine 952.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine SppExtComObj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
952.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\url\\fontdrvhost.exe\"" 952.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\syncutil\\taskhostw.exe\"" 952.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\WpcWebFilter\\SppExtComObj.exe\"" 952.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\tpmcompc\\dllhost.exe\"" 952.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Microsoft Office\\Office16\\dwm.exe\"" 952.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\odt\\sppsvc.exe\"" 952.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 88 ipinfo.io 89 ipinfo.io -
Drops file in System32 directory 9 IoCs
Processes:
952.exedescription ioc process File created C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exe 952.exe File created C:\Windows\SysWOW64\tpmcompc\dllhost.exe 952.exe File created C:\Windows\SysWOW64\tpmcompc\5940a34987c99120d96dace90a3f93f329dcad63 952.exe File created C:\Windows\SysWOW64\syncutil\taskhostw.exe 952.exe File created C:\Windows\SysWOW64\syncutil\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 952.exe File opened for modification C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exe 952.exe File created C:\Windows\SysWOW64\WpcWebFilter\e1ef82546f0b02b7e974f28047f3788b1128cce1 952.exe File created C:\Windows\SysWOW64\url\fontdrvhost.exe 952.exe File created C:\Windows\SysWOW64\url\5b884080fd4f94e2695da25c503f9e33b9605b83 952.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
952.exeSppExtComObj.exepid process 1252 952.exe 4144 SppExtComObj.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe398A.exe53CA.exe5F16.exedescription pid process target process PID 4264 set thread context of 4312 4264 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe PID 3164 set thread context of 3784 3164 398A.exe 398A.exe PID 4052 set thread context of 648 4052 53CA.exe 53CA.exe PID 808 set thread context of 1376 808 5F16.exe 5F16.exe -
Drops file in Program Files directory 2 IoCs
Processes:
952.exedescription ioc process File created C:\Program Files\Microsoft Office\Office16\dwm.exe 952.exe File created C:\Program Files\Microsoft Office\Office16\6cb0b6c459d5d3455a3da700e713f2e2529862ff 952.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 588 5020 WerFault.exe D4C4.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe398A.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 398A.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 398A.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 398A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4432 schtasks.exe 4420 schtasks.exe 4128 schtasks.exe 3568 schtasks.exe 4764 schtasks.exe 4748 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
952.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings 952.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exepid process 4312 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 4312 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3020 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe398A.exepid process 4312 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 3784 398A.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
53CA.exe5F16.exe952.exeSppExtComObj.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 648 53CA.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 1376 5F16.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 1252 952.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 4144 SppExtComObj.exe Token: SeRestorePrivilege 588 WerFault.exe Token: SeBackupPrivilege 588 WerFault.exe Token: SeDebugPrivilege 588 WerFault.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe398A.exe53CA.exe5F16.exe952.execmd.exew32tm.exedescription pid process target process PID 4264 wrote to memory of 4312 4264 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe PID 4264 wrote to memory of 4312 4264 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe PID 4264 wrote to memory of 4312 4264 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe PID 4264 wrote to memory of 4312 4264 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe PID 4264 wrote to memory of 4312 4264 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe PID 4264 wrote to memory of 4312 4264 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe PID 3020 wrote to memory of 3164 3020 398A.exe PID 3020 wrote to memory of 3164 3020 398A.exe PID 3020 wrote to memory of 3164 3020 398A.exe PID 3164 wrote to memory of 3784 3164 398A.exe 398A.exe PID 3164 wrote to memory of 3784 3164 398A.exe 398A.exe PID 3164 wrote to memory of 3784 3164 398A.exe 398A.exe PID 3164 wrote to memory of 3784 3164 398A.exe 398A.exe PID 3164 wrote to memory of 3784 3164 398A.exe 398A.exe PID 3164 wrote to memory of 3784 3164 398A.exe 398A.exe PID 3020 wrote to memory of 4052 3020 53CA.exe PID 3020 wrote to memory of 4052 3020 53CA.exe PID 3020 wrote to memory of 4052 3020 53CA.exe PID 4052 wrote to memory of 648 4052 53CA.exe 53CA.exe PID 4052 wrote to memory of 648 4052 53CA.exe 53CA.exe PID 4052 wrote to memory of 648 4052 53CA.exe 53CA.exe PID 3020 wrote to memory of 808 3020 5F16.exe PID 3020 wrote to memory of 808 3020 5F16.exe PID 3020 wrote to memory of 808 3020 5F16.exe PID 4052 wrote to memory of 648 4052 53CA.exe 53CA.exe PID 4052 wrote to memory of 648 4052 53CA.exe 53CA.exe PID 4052 wrote to memory of 648 4052 53CA.exe 53CA.exe PID 4052 wrote to memory of 648 4052 53CA.exe 53CA.exe PID 4052 wrote to memory of 648 4052 53CA.exe 53CA.exe PID 808 wrote to memory of 1376 808 5F16.exe 5F16.exe PID 808 wrote to memory of 1376 808 5F16.exe 5F16.exe PID 808 wrote to memory of 1376 808 5F16.exe 5F16.exe PID 808 wrote to memory of 1376 808 5F16.exe 5F16.exe PID 808 wrote to memory of 1376 808 5F16.exe 5F16.exe PID 808 wrote to memory of 1376 808 5F16.exe 5F16.exe PID 808 wrote to memory of 1376 808 5F16.exe 5F16.exe PID 808 wrote to memory of 1376 808 5F16.exe 5F16.exe PID 3020 wrote to memory of 5020 3020 D4C4.exe PID 3020 wrote to memory of 5020 3020 D4C4.exe PID 3020 wrote to memory of 5020 3020 D4C4.exe PID 3020 wrote to memory of 1252 3020 952.exe PID 3020 wrote to memory of 1252 3020 952.exe PID 3020 wrote to memory of 1252 3020 952.exe PID 1252 wrote to memory of 3420 1252 952.exe cmd.exe PID 1252 wrote to memory of 3420 1252 952.exe cmd.exe PID 1252 wrote to memory of 3420 1252 952.exe cmd.exe PID 3420 wrote to memory of 712 3420 cmd.exe w32tm.exe PID 3420 wrote to memory of 712 3420 cmd.exe w32tm.exe PID 3420 wrote to memory of 712 3420 cmd.exe w32tm.exe PID 712 wrote to memory of 680 712 w32tm.exe w32tm.exe PID 712 wrote to memory of 680 712 w32tm.exe w32tm.exe PID 3420 wrote to memory of 4144 3420 cmd.exe SppExtComObj.exe PID 3420 wrote to memory of 4144 3420 cmd.exe SppExtComObj.exe PID 3420 wrote to memory of 4144 3420 cmd.exe SppExtComObj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe"C:\Users\Admin\AppData\Local\Temp\4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe"C:\Users\Admin\AppData\Local\Temp\4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\398A.exeC:\Users\Admin\AppData\Local\Temp\398A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\398A.exeC:\Users\Admin\AppData\Local\Temp\398A.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\53CA.exeC:\Users\Admin\AppData\Local\Temp\53CA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\53CA.exeC:\Users\Admin\AppData\Local\Temp\53CA.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5F16.exeC:\Users\Admin\AppData\Local\Temp\5F16.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5F16.exeC:\Users\Admin\AppData\Local\Temp\5F16.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D4C4.exeC:\Users\Admin\AppData\Local\Temp\D4C4.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 10042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\952.exeC:\Users\Admin\AppData\Local\Temp\952.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YRTqs5jhyK.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exe"C:\Windows\System32\WpcWebFilter\SppExtComObj.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\WpcWebFilter\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\tpmcompc\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\url\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\syncutil\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\53CA.exe.logMD5
605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5F16.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\398A.exeMD5
1d747430b83501fef39cae62935452cb
SHA13f39d8c08b5d559eacdaea84ae67bea27a5692bb
SHA2564829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
SHA51256b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2
-
C:\Users\Admin\AppData\Local\Temp\398A.exeMD5
1d747430b83501fef39cae62935452cb
SHA13f39d8c08b5d559eacdaea84ae67bea27a5692bb
SHA2564829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
SHA51256b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2
-
C:\Users\Admin\AppData\Local\Temp\398A.exeMD5
1d747430b83501fef39cae62935452cb
SHA13f39d8c08b5d559eacdaea84ae67bea27a5692bb
SHA2564829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
SHA51256b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2
-
C:\Users\Admin\AppData\Local\Temp\53CA.exeMD5
a9cf6b07b6ee36d4986bd67429634417
SHA15343ed7b750d6f4b4710380bbd14301936db982e
SHA25656ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5
SHA5124e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7
-
C:\Users\Admin\AppData\Local\Temp\53CA.exeMD5
a9cf6b07b6ee36d4986bd67429634417
SHA15343ed7b750d6f4b4710380bbd14301936db982e
SHA25656ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5
SHA5124e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7
-
C:\Users\Admin\AppData\Local\Temp\53CA.exeMD5
a9cf6b07b6ee36d4986bd67429634417
SHA15343ed7b750d6f4b4710380bbd14301936db982e
SHA25656ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5
SHA5124e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7
-
C:\Users\Admin\AppData\Local\Temp\5F16.exeMD5
0cafd553a0f55d525a5ec0ec6c2c06bd
SHA1621e411916749c72cdc4d97f46b843bb758659c1
SHA2563acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987
SHA512b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9
-
C:\Users\Admin\AppData\Local\Temp\5F16.exeMD5
0cafd553a0f55d525a5ec0ec6c2c06bd
SHA1621e411916749c72cdc4d97f46b843bb758659c1
SHA2563acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987
SHA512b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9
-
C:\Users\Admin\AppData\Local\Temp\5F16.exeMD5
0cafd553a0f55d525a5ec0ec6c2c06bd
SHA1621e411916749c72cdc4d97f46b843bb758659c1
SHA2563acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987
SHA512b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9
-
C:\Users\Admin\AppData\Local\Temp\952.exeMD5
2a3ceb6380456ef63f154316b31b7d35
SHA1a5eec282a26158b3f09df04680c49432d6769af1
SHA2567b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618
SHA512da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4
-
C:\Users\Admin\AppData\Local\Temp\952.exeMD5
2a3ceb6380456ef63f154316b31b7d35
SHA1a5eec282a26158b3f09df04680c49432d6769af1
SHA2567b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618
SHA512da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4
-
C:\Users\Admin\AppData\Local\Temp\D4C4.exeMD5
cb9947c3461d8a13746903c458975e27
SHA1cdfecd39df19a73f5dc23d832b0e28faedae4b9e
SHA2562ba75d4c5906496be518091435f2f0826c906a6555bb455a1d7dae5d00a9c8d0
SHA51241bb7024321ebba5400d77586344458a8fd048ac474b27c24d15bbdbf764da068afd83fded55504626d5890880161435ee458364b4b75e8aa8a9b3dc8f596e44
-
C:\Users\Admin\AppData\Local\Temp\D4C4.exeMD5
cb9947c3461d8a13746903c458975e27
SHA1cdfecd39df19a73f5dc23d832b0e28faedae4b9e
SHA2562ba75d4c5906496be518091435f2f0826c906a6555bb455a1d7dae5d00a9c8d0
SHA51241bb7024321ebba5400d77586344458a8fd048ac474b27c24d15bbdbf764da068afd83fded55504626d5890880161435ee458364b4b75e8aa8a9b3dc8f596e44
-
C:\Users\Admin\AppData\Local\Temp\YRTqs5jhyK.batMD5
dd335c64bc831465f1fa2baadf7bd4a2
SHA19065e9d0b8355ddfc849086f9ca9b94d8bf68833
SHA25651766dcca2fda7351913ff886d0363349b7c5234b9107dd62a59fb7b0e0025aa
SHA512a62b94ac747fe2fa31a40d7cfcc60695347103620e83072a2bd77069b269d67cc73d0f21fda52165ec7a9aea39fecc521a7508c3bb176bd5e9e4177b595de8eb
-
C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exeMD5
2a3ceb6380456ef63f154316b31b7d35
SHA1a5eec282a26158b3f09df04680c49432d6769af1
SHA2567b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618
SHA512da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4
-
C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exeMD5
2a3ceb6380456ef63f154316b31b7d35
SHA1a5eec282a26158b3f09df04680c49432d6769af1
SHA2567b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618
SHA512da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4
-
memory/648-169-0x0000000006450000-0x0000000006451000-memory.dmpFilesize
4KB
-
memory/648-152-0x0000000005470000-0x0000000005A76000-memory.dmpFilesize
6.0MB
-
memory/648-171-0x0000000007660000-0x0000000007661000-memory.dmpFilesize
4KB
-
memory/648-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/648-142-0x0000000000418D06-mapping.dmp
-
memory/648-166-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/648-146-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/648-170-0x0000000006F60000-0x0000000006F61000-memory.dmpFilesize
4KB
-
memory/648-148-0x0000000001660000-0x0000000001661000-memory.dmpFilesize
4KB
-
memory/648-149-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/648-150-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/648-151-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/680-199-0x0000000000000000-mapping.dmp
-
memory/712-198-0x0000000000000000-mapping.dmp
-
memory/808-147-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/808-139-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/808-136-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/808-138-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/808-133-0x0000000000000000-mapping.dmp
-
memory/808-140-0x00000000052D0000-0x0000000005346000-memory.dmpFilesize
472KB
-
memory/1252-195-0x0000000005D40000-0x0000000005D41000-memory.dmpFilesize
4KB
-
memory/1252-193-0x0000000077A00000-0x0000000077B8E000-memory.dmpFilesize
1.6MB
-
memory/1252-186-0x0000000000000000-mapping.dmp
-
memory/1252-189-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/1252-192-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/1376-164-0x0000000004C60000-0x0000000005266000-memory.dmpFilesize
6.0MB
-
memory/1376-153-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1376-154-0x0000000000418D2A-mapping.dmp
-
memory/3020-119-0x00000000003B0000-0x00000000003C6000-memory.dmpFilesize
88KB
-
memory/3020-127-0x00000000020A0000-0x00000000020B6000-memory.dmpFilesize
88KB
-
memory/3164-120-0x0000000000000000-mapping.dmp
-
memory/3420-196-0x0000000000000000-mapping.dmp
-
memory/3784-125-0x0000000000402E0C-mapping.dmp
-
memory/4052-128-0x0000000000000000-mapping.dmp
-
memory/4052-131-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/4144-200-0x0000000000000000-mapping.dmp
-
memory/4144-208-0x0000000004ED0000-0x0000000004ED6000-memory.dmpFilesize
24KB
-
memory/4144-203-0x0000000077A00000-0x0000000077B8E000-memory.dmpFilesize
1.6MB
-
memory/4144-204-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/4144-209-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/4264-116-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4312-118-0x0000000000402E0C-mapping.dmp
-
memory/4312-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5020-184-0x0000000001150000-0x000000000129A000-memory.dmpFilesize
1.3MB
-
memory/5020-185-0x0000000000400000-0x0000000001063000-memory.dmpFilesize
12.4MB
-
memory/5020-180-0x0000000000000000-mapping.dmp