Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 06:54
Static task
static1
Behavioral task
behavioral1
Sample
b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe
Resource
win7-en-20211208
General
-
Target
b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe
-
Size
6.1MB
-
MD5
d17ddf62b40c19e794160069d3e970ae
-
SHA1
d0371179c03af231a8b07d175141944cb32a5115
-
SHA256
b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9
-
SHA512
5b1a40e9a2399c6bb7dffd4340859a91a3acc6b8f28e7cafdc1d8df74be1f8a2bb63e76f14305788654f862f3247805cbcf3a94059496e154b5bd239e4eebc7f
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 78 3768 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
before.execleoidvp.exeIntelRapid.exepid process 3560 before.exe 2872 cleoidvp.exe 2816 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
before.exeIntelRapid.execleoidvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion before.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion before.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cleoidvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cleoidvp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cleoidvp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation cleoidvp.exe -
Drops startup file 1 IoCs
Processes:
before.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk before.exe -
Loads dropped DLL 1 IoCs
Processes:
b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exepid process 3716 b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\droopt\before.exe themida C:\Users\Admin\AppData\Local\Temp\droopt\before.exe themida C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe themida C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe themida behavioral2/memory/3560-135-0x00007FF7A1CE0000-0x00007FF7A2660000-memory.dmp themida behavioral2/memory/3560-136-0x00007FF7A1CE0000-0x00007FF7A2660000-memory.dmp themida behavioral2/memory/3560-137-0x00007FF7A1CE0000-0x00007FF7A2660000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral2/memory/2816-141-0x00007FF7F9D00000-0x00007FF7FA680000-memory.dmp themida behavioral2/memory/2816-142-0x00007FF7F9D00000-0x00007FF7FA680000-memory.dmp themida behavioral2/memory/2816-143-0x00007FF7F9D00000-0x00007FF7FA680000-memory.dmp themida behavioral2/memory/2872-145-0x0000000000820000-0x0000000000E96000-memory.dmp themida behavioral2/memory/2872-146-0x0000000000820000-0x0000000000E96000-memory.dmp themida behavioral2/memory/2872-147-0x0000000000820000-0x0000000000E96000-memory.dmp themida behavioral2/memory/2872-148-0x0000000000820000-0x0000000000E96000-memory.dmp themida -
Processes:
cleoidvp.exebefore.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cleoidvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA before.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
before.exeIntelRapid.execleoidvp.exepid process 3560 before.exe 2816 IntelRapid.exe 2872 cleoidvp.exe -
Drops file in Program Files directory 3 IoCs
Processes:
b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe File created C:\Program Files (x86)\foler\olader\acledit.dll b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.execleoidvp.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cleoidvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cleoidvp.exe -
Modifies data under HKEY_USERS 56 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4340" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.571241" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4128" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.000014" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895580866560650" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006588" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4348" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3956" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "14.287491" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe -
Modifies registry class 1 IoCs
Processes:
cleoidvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings cleoidvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 2816 IntelRapid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cleoidvp.exepid process 2872 cleoidvp.exe 2872 cleoidvp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe Token: SeRestorePrivilege 4076 TiWorker.exe Token: SeSecurityPrivilege 4076 TiWorker.exe Token: SeBackupPrivilege 4076 TiWorker.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exebefore.execleoidvp.exedescription pid process target process PID 3716 wrote to memory of 3560 3716 b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe before.exe PID 3716 wrote to memory of 3560 3716 b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe before.exe PID 3716 wrote to memory of 2872 3716 b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe cleoidvp.exe PID 3716 wrote to memory of 2872 3716 b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe cleoidvp.exe PID 3716 wrote to memory of 2872 3716 b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe cleoidvp.exe PID 3560 wrote to memory of 2816 3560 before.exe IntelRapid.exe PID 3560 wrote to memory of 2816 3560 before.exe IntelRapid.exe PID 2872 wrote to memory of 3688 2872 cleoidvp.exe WScript.exe PID 2872 wrote to memory of 3688 2872 cleoidvp.exe WScript.exe PID 2872 wrote to memory of 3688 2872 cleoidvp.exe WScript.exe PID 2872 wrote to memory of 3768 2872 cleoidvp.exe WScript.exe PID 2872 wrote to memory of 3768 2872 cleoidvp.exe WScript.exe PID 2872 wrote to memory of 3768 2872 cleoidvp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe"C:\Users\Admin\AppData\Local\Temp\b543353168aed0d8f97bf242c27cebcae520a36aabbd5feddf3331611ec5afc9.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\droopt\before.exe"C:\Users\Admin\AppData\Local\Temp\droopt\before.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe"C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\iaumxtic.vbs"3⤵PID:3688
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tdhfgqflvhkw.vbs"3⤵
- Blocklisted process makes network request
PID:3768
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2080
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
b1c88cd80fa736ba6e517af7a7dcfd41
SHA188266af3e04fd9a176d41b010e667e2f97b93801
SHA256461db141809949506e98faeb6f9608d366369f1f105a80209701939cb963c31e
SHA512778f5f9f0a5da104c808a96076acb044bacacadd042935ec8312a2a5a2d0c507101482ca69b45f8f7d9ead3f78617ebca7e88a519e40f2fdc127e011d74489e5
-
C:\Users\Admin\AppData\Local\Temp\droopt\before.exeMD5
8aee61bc611aa64b3f208f3a078c0b9d
SHA1fbd8b1f97262825748f2314ea5357c513928d450
SHA256c83e1a89de66553006542f3d2906b833bd0eec1eaaf9d6a7a791ff2224055e55
SHA512a842860b4932d89911731e634b35707affca7977fa08e3f0a874661cd3da63c34d048c9203d670108726b3a0a94e173dff7eccb8c18b3cadf2233098e7e70439
-
C:\Users\Admin\AppData\Local\Temp\droopt\before.exeMD5
8aee61bc611aa64b3f208f3a078c0b9d
SHA1fbd8b1f97262825748f2314ea5357c513928d450
SHA256c83e1a89de66553006542f3d2906b833bd0eec1eaaf9d6a7a791ff2224055e55
SHA512a842860b4932d89911731e634b35707affca7977fa08e3f0a874661cd3da63c34d048c9203d670108726b3a0a94e173dff7eccb8c18b3cadf2233098e7e70439
-
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exeMD5
dc8d694f9146f0612c47d12c2d1f207a
SHA1210209e9bd1ebfc68febb35e419657e8f279151c
SHA2568f62751fd75e19987374eaaf8c14ba2d689514c9677c00324b267a90513606c9
SHA5125cf6836af46438886b1844f762939d43603555fcee45d6dc52da56f2912b06e496742b83f01817009d9cebdeba0b0912ecee9115252e70d131a7fed8cec19191
-
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exeMD5
dc8d694f9146f0612c47d12c2d1f207a
SHA1210209e9bd1ebfc68febb35e419657e8f279151c
SHA2568f62751fd75e19987374eaaf8c14ba2d689514c9677c00324b267a90513606c9
SHA5125cf6836af46438886b1844f762939d43603555fcee45d6dc52da56f2912b06e496742b83f01817009d9cebdeba0b0912ecee9115252e70d131a7fed8cec19191
-
C:\Users\Admin\AppData\Local\Temp\iaumxtic.vbsMD5
d7ff92084815c8963bdab4536bcab294
SHA11e4d308cf84251772fbd250fdbe8c778283d031f
SHA256872069b5cfbddf8295103fabd76b4503bd87e901a9b0fe6f74f3eb55135e9c2f
SHA5127a0bdf5fd8c164f6629d676ec26166591da33075910b4ef1c2960d03233135daf882105c4b0cd0677b86ea8fc43a011c252176149e6cd083880f791509c10e53
-
C:\Users\Admin\AppData\Local\Temp\nss76DF.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
C:\Users\Admin\AppData\Local\Temp\tdhfgqflvhkw.vbsMD5
9da5b0d94228cd90ea3252bc45880d5c
SHA182dba8314173308f3b76f53a7314e9e318943520
SHA2569cbb2281b62f83261f58666438b559e47a0909bd99aaed22857e639fdccbb8a0
SHA5128ae9e704bf99e188a180977db556a53c15470721944a049b09a915b25b532c5b9796d3f56f18d2137cdf0f0ff86a3ae213d68c6aa0a9be7230ad4f26d1d351c1
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
8aee61bc611aa64b3f208f3a078c0b9d
SHA1fbd8b1f97262825748f2314ea5357c513928d450
SHA256c83e1a89de66553006542f3d2906b833bd0eec1eaaf9d6a7a791ff2224055e55
SHA512a842860b4932d89911731e634b35707affca7977fa08e3f0a874661cd3da63c34d048c9203d670108726b3a0a94e173dff7eccb8c18b3cadf2233098e7e70439
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
8aee61bc611aa64b3f208f3a078c0b9d
SHA1fbd8b1f97262825748f2314ea5357c513928d450
SHA256c83e1a89de66553006542f3d2906b833bd0eec1eaaf9d6a7a791ff2224055e55
SHA512a842860b4932d89911731e634b35707affca7977fa08e3f0a874661cd3da63c34d048c9203d670108726b3a0a94e173dff7eccb8c18b3cadf2233098e7e70439
-
memory/2816-141-0x00007FF7F9D00000-0x00007FF7FA680000-memory.dmpFilesize
9.5MB
-
memory/2816-142-0x00007FF7F9D00000-0x00007FF7FA680000-memory.dmpFilesize
9.5MB
-
memory/2816-143-0x00007FF7F9D00000-0x00007FF7FA680000-memory.dmpFilesize
9.5MB
-
memory/2872-145-0x0000000000820000-0x0000000000E96000-memory.dmpFilesize
6.5MB
-
memory/2872-144-0x0000000077124000-0x0000000077126000-memory.dmpFilesize
8KB
-
memory/2872-146-0x0000000000820000-0x0000000000E96000-memory.dmpFilesize
6.5MB
-
memory/2872-147-0x0000000000820000-0x0000000000E96000-memory.dmpFilesize
6.5MB
-
memory/2872-148-0x0000000000820000-0x0000000000E96000-memory.dmpFilesize
6.5MB
-
memory/3560-138-0x00007FF92E410000-0x00007FF92E412000-memory.dmpFilesize
8KB
-
memory/3560-137-0x00007FF7A1CE0000-0x00007FF7A2660000-memory.dmpFilesize
9.5MB
-
memory/3560-136-0x00007FF7A1CE0000-0x00007FF7A2660000-memory.dmpFilesize
9.5MB
-
memory/3560-135-0x00007FF7A1CE0000-0x00007FF7A2660000-memory.dmpFilesize
9.5MB