Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07/12/2021, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
Resource
win10-en-20211014
General
-
Target
84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
-
Size
341KB
-
MD5
a0a201f098c95d71c7e2b64c6be9bc46
-
SHA1
f317aa454ce83479ef95ebdecf767d11ea64e948
-
SHA256
84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
-
SHA512
2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Extracted
amadey
2.86
185.215.113.35/d2VxjasuwS/index.php
Extracted
raccoon
1.8.3-hotfix
fd4f23250443a724a3d1548e6ab07c481dfc2814
-
url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1
Extracted
arkei
Default
http://195.133.18.126/ZIaKfGwC3P.php
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\taskmanager.exe\"," DA8.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/1888-135-0x0000000000C90000-0x0000000000CF9000-memory.dmp family_redline behavioral1/memory/2384-165-0x0000000000870000-0x0000000000922000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 1 IoCs
resource yara_rule behavioral1/memory/3556-260-0x0000000000EE0000-0x00000000012AB000-memory.dmp family_arkei -
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/1444-242-0x0000000003280000-0x00000000032C0000-memory.dmp BazarLoaderVar5 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 5 IoCs
resource yara_rule behavioral1/files/0x0014000000015608-266.dat Nirsoft behavioral1/files/0x0014000000015608-267.dat Nirsoft behavioral1/files/0x0014000000015608-269.dat Nirsoft behavioral1/files/0x0014000000015608-271.dat Nirsoft behavioral1/files/0x0014000000015608-273.dat Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 18 IoCs
pid Process 3228 47B3.exe 3368 47B3.exe 1892 C35D.exe 1888 C5EE.exe 2384 B36.exe 3004 DA8.exe 2104 1C30.exe 1872 tkools.exe 1384 3A29.exe 3556 7B1B.exe 3304 AdvancedRun.exe 2204 AdvancedRun.exe 3764 AdvancedRun.exe 1500 AdvancedRun.exe 1064 DA8.exe 2132 eaetsdj 2140 tkools.exe 2944 eaetsdj -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7B1B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7B1B.exe -
Deletes itself 1 IoCs
pid Process 3040 Process not Found -
Loads dropped DLL 4 IoCs
pid Process 1444 regsvr32.exe 3556 7B1B.exe 3556 7B1B.exe 3556 7B1B.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\DA8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\DA8.exe\"" DA8.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7B1B.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1888 C5EE.exe 2384 B36.exe 3556 7B1B.exe 3556 7B1B.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3048 set thread context of 2744 3048 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 68 PID 3228 set thread context of 3368 3228 47B3.exe 71 PID 3004 set thread context of 1064 3004 DA8.exe 113 PID 2132 set thread context of 2944 2132 eaetsdj 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 47B3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eaetsdj Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 47B3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 47B3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eaetsdj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eaetsdj -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7B1B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7B1B.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1740 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1532 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2744 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 2744 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3040 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2744 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 3368 47B3.exe 2944 eaetsdj -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeDebugPrivilege 3004 DA8.exe Token: SeDebugPrivilege 1888 C5EE.exe Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeDebugPrivilege 2812 powershell.exe Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeDebugPrivilege 3304 AdvancedRun.exe Token: SeImpersonatePrivilege 3304 AdvancedRun.exe Token: SeDebugPrivilege 2204 AdvancedRun.exe Token: SeImpersonatePrivilege 2204 AdvancedRun.exe Token: SeDebugPrivilege 3764 AdvancedRun.exe Token: SeImpersonatePrivilege 3764 AdvancedRun.exe Token: SeDebugPrivilege 1500 AdvancedRun.exe Token: SeImpersonatePrivilege 1500 AdvancedRun.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeDebugPrivilege 1064 DA8.exe Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2744 3048 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 68 PID 3048 wrote to memory of 2744 3048 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 68 PID 3048 wrote to memory of 2744 3048 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 68 PID 3048 wrote to memory of 2744 3048 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 68 PID 3048 wrote to memory of 2744 3048 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 68 PID 3048 wrote to memory of 2744 3048 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe 68 PID 3040 wrote to memory of 3228 3040 Process not Found 70 PID 3040 wrote to memory of 3228 3040 Process not Found 70 PID 3040 wrote to memory of 3228 3040 Process not Found 70 PID 3228 wrote to memory of 3368 3228 47B3.exe 71 PID 3228 wrote to memory of 3368 3228 47B3.exe 71 PID 3228 wrote to memory of 3368 3228 47B3.exe 71 PID 3228 wrote to memory of 3368 3228 47B3.exe 71 PID 3228 wrote to memory of 3368 3228 47B3.exe 71 PID 3228 wrote to memory of 3368 3228 47B3.exe 71 PID 3040 wrote to memory of 1892 3040 Process not Found 72 PID 3040 wrote to memory of 1892 3040 Process not Found 72 PID 3040 wrote to memory of 1892 3040 Process not Found 72 PID 3040 wrote to memory of 1888 3040 Process not Found 73 PID 3040 wrote to memory of 1888 3040 Process not Found 73 PID 3040 wrote to memory of 1888 3040 Process not Found 73 PID 3040 wrote to memory of 1444 3040 Process not Found 77 PID 3040 wrote to memory of 1444 3040 Process not Found 77 PID 3040 wrote to memory of 2384 3040 Process not Found 78 PID 3040 wrote to memory of 2384 3040 Process not Found 78 PID 3040 wrote to memory of 2384 3040 Process not Found 78 PID 3040 wrote to memory of 3004 3040 Process not Found 79 PID 3040 wrote to memory of 3004 3040 Process not Found 79 PID 3004 wrote to memory of 2812 3004 DA8.exe 80 PID 3004 wrote to memory of 2812 3004 DA8.exe 80 PID 3040 wrote to memory of 2104 3040 Process not Found 82 PID 3040 wrote to memory of 2104 3040 Process not Found 82 PID 3040 wrote to memory of 2104 3040 Process not Found 82 PID 2812 wrote to memory of 1532 2812 powershell.exe 83 PID 2812 wrote to memory of 1532 2812 powershell.exe 83 PID 2104 wrote to memory of 1540 2104 1C30.exe 84 PID 2104 wrote to memory of 1540 2104 1C30.exe 84 PID 2104 wrote to memory of 1540 2104 1C30.exe 84 PID 1540 wrote to memory of 3252 1540 cmd.exe 86 PID 1540 wrote to memory of 3252 1540 cmd.exe 86 PID 1540 wrote to memory of 3252 1540 cmd.exe 86 PID 1540 wrote to memory of 3384 1540 cmd.exe 87 PID 1540 wrote to memory of 3384 1540 cmd.exe 87 PID 1540 wrote to memory of 3384 1540 cmd.exe 87 PID 2104 wrote to memory of 680 2104 1C30.exe 88 PID 2104 wrote to memory of 680 2104 1C30.exe 88 PID 2104 wrote to memory of 680 2104 1C30.exe 88 PID 680 wrote to memory of 2596 680 cmd.exe 90 PID 680 wrote to memory of 2596 680 cmd.exe 90 PID 680 wrote to memory of 2596 680 cmd.exe 90 PID 2104 wrote to memory of 2164 2104 1C30.exe 91 PID 2104 wrote to memory of 2164 2104 1C30.exe 91 PID 2104 wrote to memory of 2164 2104 1C30.exe 91 PID 2164 wrote to memory of 3444 2164 cmd.exe 93 PID 2164 wrote to memory of 3444 2164 cmd.exe 93 PID 2164 wrote to memory of 3444 2164 cmd.exe 93 PID 2164 wrote to memory of 3372 2164 cmd.exe 94 PID 2164 wrote to memory of 3372 2164 cmd.exe 94 PID 2164 wrote to memory of 3372 2164 cmd.exe 94 PID 2104 wrote to memory of 3244 2104 1C30.exe 95 PID 2104 wrote to memory of 3244 2104 1C30.exe 95 PID 2104 wrote to memory of 3244 2104 1C30.exe 95 PID 2104 wrote to memory of 1872 2104 1C30.exe 97 PID 2104 wrote to memory of 1872 2104 1C30.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\47B3.exeC:\Users\Admin\AppData\Local\Temp\47B3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\47B3.exeC:\Users\Admin\AppData\Local\Temp\47B3.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3368
-
-
C:\Users\Admin\AppData\Local\Temp\C35D.exeC:\Users\Admin\AppData\Local\Temp\C35D.exe1⤵
- Executes dropped EXE
PID:1892
-
C:\Users\Admin\AppData\Local\Temp\C5EE.exeC:\Users\Admin\AppData\Local\Temp\C5EE.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6C1.dll1⤵
- Loads dropped DLL
PID:1444
-
C:\Users\Admin\AppData\Local\Temp\B36.exeC:\Users\Admin\AppData\Local\Temp\B36.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2384
-
C:\Users\Admin\AppData\Local\Temp\DA8.exeC:\Users\Admin\AppData\Local\Temp\DA8.exe1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping youtube.com2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" youtube.com3⤵
- Runs ping.exe
PID:1532
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 33043⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 37643⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\DA8.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Users\Admin\AppData\Local\Temp\DA8.exeC:\Users\Admin\AppData\Local\Temp\DA8.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\1C30.exeC:\Users\Admin\AppData\Local\Temp\1C30.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3252
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"3⤵PID:3384
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E3⤵PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3444
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"3⤵PID:3372
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E2⤵PID:3244
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E3⤵PID:1908
-
-
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"2⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\3⤵PID:3588
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\4⤵PID:2140
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\3A29.exeC:\Users\Admin\AppData\Local\Temp\3A29.exe1⤵
- Executes dropped EXE
PID:1384
-
C:\Users\Admin\AppData\Local\Temp\7B1B.exeC:\Users\Admin\AppData\Local\Temp\7B1B.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:3556
-
C:\Users\Admin\AppData\Roaming\eaetsdjC:\Users\Admin\AppData\Roaming\eaetsdj1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2132 -
C:\Users\Admin\AppData\Roaming\eaetsdjC:\Users\Admin\AppData\Roaming\eaetsdj2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exeC:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe1⤵
- Executes dropped EXE
PID:2140