Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07/12/2021, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
Resource
win10-en-20211014
General
-
Target
b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
-
Size
341KB
-
MD5
44c534a25397b6e564f7a1f1ade5c018
-
SHA1
8e2ae659ed82c0b586566a1aa5e5456931764d51
-
SHA256
b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13
-
SHA512
f978b21f92ccf860955c11a2d7caf30a597a28fdea32d4e41b8c62970ec86a2583a592a54ec5bd881119dcbed546bda1d4c456ad315cee23c51860887f57fd80
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Extracted
amadey
2.86
185.215.113.35/d2VxjasuwS/index.php
Extracted
raccoon
1.8.3-hotfix
fd4f23250443a724a3d1548e6ab07c481dfc2814
-
url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1
Extracted
arkei
Default
http://195.133.18.126/ZIaKfGwC3P.php
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\taskmanager.exe\"," E715.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/4048-136-0x00000000011F0000-0x0000000001259000-memory.dmp family_redline behavioral1/memory/1488-167-0x0000000000C50000-0x0000000000D02000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 1 IoCs
resource yara_rule behavioral1/memory/2476-265-0x00000000011E0000-0x00000000015AB000-memory.dmp family_arkei -
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/1292-243-0x0000000000E80000-0x0000000000EC0000-memory.dmp BazarLoaderVar5 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 5 IoCs
resource yara_rule behavioral1/files/0x0011000000019f3d-271.dat Nirsoft behavioral1/files/0x0011000000019f3d-272.dat Nirsoft behavioral1/files/0x0011000000019f3d-274.dat Nirsoft behavioral1/files/0x0011000000019f3d-276.dat Nirsoft behavioral1/files/0x0011000000019f3d-278.dat Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
pid Process 1580 9074.exe 3488 9074.exe 3680 A229.exe 4048 A4BA.exe 1488 E3E8.exe 1852 E715.exe 4032 F484.exe 3016 F31.exe 3544 tkools.exe 2476 4D73.exe 3776 tkools.exe 3904 AdvancedRun.exe 816 AdvancedRun.exe 3056 AdvancedRun.exe 2652 AdvancedRun.exe 1992 E715.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4D73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4D73.exe -
Deletes itself 1 IoCs
pid Process 3020 Process not Found -
Loads dropped DLL 4 IoCs
pid Process 1292 regsvr32.exe 2476 4D73.exe 2476 4D73.exe 2476 4D73.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\E715 = "\"C:\\Users\\Admin\\AppData\\Roaming\\E715.exe\"" E715.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4D73.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4048 A4BA.exe 1488 E3E8.exe 2476 4D73.exe 2476 4D73.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2756 set thread context of 3104 2756 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 69 PID 1580 set thread context of 3488 1580 9074.exe 71 PID 1852 set thread context of 1992 1852 E715.exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9074.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9074.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9074.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4D73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4D73.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2540 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1936 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3104 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 3104 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3104 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 3488 9074.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeDebugPrivilege 4048 A4BA.exe Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeDebugPrivilege 1852 E715.exe Token: SeDebugPrivilege 3980 powershell.exe Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeDebugPrivilege 3904 AdvancedRun.exe Token: SeImpersonatePrivilege 3904 AdvancedRun.exe Token: SeDebugPrivilege 816 AdvancedRun.exe Token: SeImpersonatePrivilege 816 AdvancedRun.exe Token: SeDebugPrivilege 3056 AdvancedRun.exe Token: SeImpersonatePrivilege 3056 AdvancedRun.exe Token: SeDebugPrivilege 2652 AdvancedRun.exe Token: SeImpersonatePrivilege 2652 AdvancedRun.exe Token: SeDebugPrivilege 3416 powershell.exe Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeDebugPrivilege 1992 E715.exe Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 3104 2756 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 69 PID 2756 wrote to memory of 3104 2756 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 69 PID 2756 wrote to memory of 3104 2756 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 69 PID 2756 wrote to memory of 3104 2756 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 69 PID 2756 wrote to memory of 3104 2756 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 69 PID 2756 wrote to memory of 3104 2756 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe 69 PID 3020 wrote to memory of 1580 3020 Process not Found 70 PID 3020 wrote to memory of 1580 3020 Process not Found 70 PID 3020 wrote to memory of 1580 3020 Process not Found 70 PID 1580 wrote to memory of 3488 1580 9074.exe 71 PID 1580 wrote to memory of 3488 1580 9074.exe 71 PID 1580 wrote to memory of 3488 1580 9074.exe 71 PID 1580 wrote to memory of 3488 1580 9074.exe 71 PID 1580 wrote to memory of 3488 1580 9074.exe 71 PID 1580 wrote to memory of 3488 1580 9074.exe 71 PID 3020 wrote to memory of 3680 3020 Process not Found 72 PID 3020 wrote to memory of 3680 3020 Process not Found 72 PID 3020 wrote to memory of 3680 3020 Process not Found 72 PID 3020 wrote to memory of 4048 3020 Process not Found 73 PID 3020 wrote to memory of 4048 3020 Process not Found 73 PID 3020 wrote to memory of 4048 3020 Process not Found 73 PID 3020 wrote to memory of 1292 3020 Process not Found 77 PID 3020 wrote to memory of 1292 3020 Process not Found 77 PID 3020 wrote to memory of 1488 3020 Process not Found 78 PID 3020 wrote to memory of 1488 3020 Process not Found 78 PID 3020 wrote to memory of 1488 3020 Process not Found 78 PID 3020 wrote to memory of 1852 3020 Process not Found 79 PID 3020 wrote to memory of 1852 3020 Process not Found 79 PID 1852 wrote to memory of 3980 1852 E715.exe 80 PID 1852 wrote to memory of 3980 1852 E715.exe 80 PID 3980 wrote to memory of 1936 3980 powershell.exe 82 PID 3980 wrote to memory of 1936 3980 powershell.exe 82 PID 3020 wrote to memory of 4032 3020 Process not Found 83 PID 3020 wrote to memory of 4032 3020 Process not Found 83 PID 3020 wrote to memory of 4032 3020 Process not Found 83 PID 4032 wrote to memory of 3128 4032 F484.exe 84 PID 4032 wrote to memory of 3128 4032 F484.exe 84 PID 4032 wrote to memory of 3128 4032 F484.exe 84 PID 3128 wrote to memory of 3696 3128 cmd.exe 86 PID 3128 wrote to memory of 3696 3128 cmd.exe 86 PID 3128 wrote to memory of 3696 3128 cmd.exe 86 PID 3128 wrote to memory of 2660 3128 cmd.exe 87 PID 3128 wrote to memory of 2660 3128 cmd.exe 87 PID 3128 wrote to memory of 2660 3128 cmd.exe 87 PID 4032 wrote to memory of 3616 4032 F484.exe 88 PID 4032 wrote to memory of 3616 4032 F484.exe 88 PID 4032 wrote to memory of 3616 4032 F484.exe 88 PID 3616 wrote to memory of 2436 3616 cmd.exe 90 PID 3616 wrote to memory of 2436 3616 cmd.exe 90 PID 3616 wrote to memory of 2436 3616 cmd.exe 90 PID 4032 wrote to memory of 3040 4032 F484.exe 91 PID 4032 wrote to memory of 3040 4032 F484.exe 91 PID 4032 wrote to memory of 3040 4032 F484.exe 91 PID 3040 wrote to memory of 1580 3040 cmd.exe 93 PID 3040 wrote to memory of 1580 3040 cmd.exe 93 PID 3040 wrote to memory of 1580 3040 cmd.exe 93 PID 3040 wrote to memory of 2828 3040 cmd.exe 94 PID 3040 wrote to memory of 2828 3040 cmd.exe 94 PID 3040 wrote to memory of 2828 3040 cmd.exe 94 PID 4032 wrote to memory of 1208 4032 F484.exe 95 PID 4032 wrote to memory of 1208 4032 F484.exe 95 PID 4032 wrote to memory of 1208 4032 F484.exe 95 PID 3020 wrote to memory of 3016 3020 Process not Found 98 PID 3020 wrote to memory of 3016 3020 Process not Found 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3104
-
-
C:\Users\Admin\AppData\Local\Temp\9074.exeC:\Users\Admin\AppData\Local\Temp\9074.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\9074.exeC:\Users\Admin\AppData\Local\Temp\9074.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\A229.exeC:\Users\Admin\AppData\Local\Temp\A229.exe1⤵
- Executes dropped EXE
PID:3680
-
C:\Users\Admin\AppData\Local\Temp\A4BA.exeC:\Users\Admin\AppData\Local\Temp\A4BA.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\DFDF.dll1⤵
- Loads dropped DLL
PID:1292
-
C:\Users\Admin\AppData\Local\Temp\E3E8.exeC:\Users\Admin\AppData\Local\Temp\E3E8.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1488
-
C:\Users\Admin\AppData\Local\Temp\E715.exeC:\Users\Admin\AppData\Local\Temp\E715.exe1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping youtube.com2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" youtube.com3⤵
- Runs ping.exe
PID:1936
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 39043⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 30563⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\E715.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\E715.exeC:\Users\Admin\AppData\Local\Temp\E715.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\F484.exeC:\Users\Admin\AppData\Local\Temp\F484.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3696
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"3⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E3⤵PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1580
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"3⤵PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E2⤵PID:1208
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E3⤵PID:1708
-
-
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"2⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\3⤵PID:1636
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\4⤵PID:2976
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:2540
-
-
-
C:\Users\Admin\AppData\Local\Temp\F31.exeC:\Users\Admin\AppData\Local\Temp\F31.exe1⤵
- Executes dropped EXE
PID:3016
-
C:\Users\Admin\AppData\Local\Temp\4D73.exeC:\Users\Admin\AppData\Local\Temp\4D73.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2476
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exeC:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe1⤵
- Executes dropped EXE
PID:3776