icedid | 0ecca89b428fe89c9af8a661a71c8e5eab9873d76ff5b4191fbd94100d0e05bc

General

Target

dart.dll
Size

149KB
MD5

5a10673301a00d36c56e189d0ff3b6a5
SHA1

c90c05bc0413134e026038b9f55e3119de15e215
SHA256

0ecca89b428fe89c9af8a661a71c8e5eab9873d76ff5b4191fbd94100d0e05bc
SHA512

aa56193f93bd43e78a2af187c4458e92fc05c953d1e2e39a5576b577d1ae3fd1c4993c39b95956162f2f05badda61a9ed06c92abb0a6c3c214e1bcb97c03c23e

Score

10^/10

icedid 3546287305 banker loader suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

3546287305

C2

oceriesfornot.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

Drops file in System32 directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7615BF00-6003-4DD9-9778-BF26B6ECE320}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CC7D15F8-DFC2-4FDD-B0D2-164401D7C70A}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Drops file in Windows directory 62 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT50E0.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT52E7.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BITCA02.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\Xbfe7KpvVnvJHxQ2cRDBmUlnoMnpDY=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT9B29.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\fDFnweOZvFE=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\FTTOLXxEZk0li+ZNE2Uo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT9A7C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BITDEBC.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT5288.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT5D6A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT973F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BITF037.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BITC59C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BITD6BA.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BITE8F2.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BITD35D.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\fbaaae7103d0f0a1303a40d280aa18bafcd08dcf	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BITE64F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITA194.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BITC133.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\6e15245aed25ee83b027521f9cf9ea812c9d016d	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BITE826.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT521A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT54FC.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BITD213.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT8F7A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\daNJ9YVgpN191GzoPynRDpTEDO9uUytOK6Ln7xcN8To=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BITBFFA.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BITC1F0.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BITD748.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BITDE3E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITA0C8.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BITC51E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\c3ca3df6b0660cc02fa0c60992eb1164c186b223	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT5F40.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT96B0.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT601C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\2cd32031792245e69c7777193005916861cbbe94	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BITE6FC.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT9007.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\d9f2a302574bf135efc9dbd1a8083a336f7f52f0	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT971F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BITC210.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BITCAA0.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BITD2DF.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT5365.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT5C7F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT95E4.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\v9GXr9MSfUt92b0dEpOsHH2H0TwcnvKmtIW8g3ovM=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BITD37D.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BITEF6B.tmp	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B21A343F = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000004f069fde1145ca7a6d7f213c040cadc1690d2a7abcc245c5b7c68da00a0d0e1c000000000e8000000002000020000000f4cc4061781061aeb903b4d628e4702320ccc98a7c27c83aab266961474de0be800000009a10de68c2f8800229ee512d9834c666c17c84834fa50d163765fd88bec2a99d89f7879622524c73a6ad2ff95931c24eb88a5d12bdd6e7ff099e8d184148b5463be93059fc7e38d03ca0f43d02187583c7fdf2ef619abc55c3aaad3a1f6e91587d3b624512bfb73e11c769a1609741e6b5f51f0ca0507c7e7f23f031a4b69fcb400000002da07688cf6e7fdeafb05103fef776fefa0dd4792a7c6b521a55b5c4f6e57bdce7c707e835f8cc1bf4b27cd7daa367a230a68b883632e7217f2b7aefa8c02782	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000a622d7dec47f2ef97cca6f1eb764a945890f9e04e2bcdfc6a01334e1c4a3d9ac000000000e8000000002000020000000adafb66a3e8c78d5bbad27e91bb09ad82bb4fb37243bd85caa98434da1803c04100d00000ce674e2dd300e47b0f3c519704ea29d771d730d744d39c7e97ea4ffc498118f87a4a94a147df410fbdba7f4f655830deb9d66a1e06ab66aa2cc298071730429be511f3c4415d616a3c2bd2519ed02620a2d7a0042b7c1d44b1f9d3e22a31df7a1364c8896a6b7126fc8eff9c6b9a6e91dd0433de6e2131d980e9e9d2d434984121813a6cb2656e444185ed7cd91cb1b04fcb7436e8624eb01bb8623f653a515608d79d895d4e361260aa9492d2166aeeb576265c96ac069eb0f41892076a17f58808e8d55ad99523833f689f886093ee5ded6e2747be3dd57b7abf017b214076b52c75316d2ffe5ad77dfb089a439b42f1ab6059c29022933df49bcd953f300f815754d28a2379d5f89fd522e372b138bfda4ba221afcb6777bd50f526e273e85a53c1c87d23254ae28ff44365cdb33f2ab630e4259c0de8f4fcde51256d188b869d1628863366c383d8fcfbcc89801478890a0f37b12ae741ee0437e033519c9fa7e06cddeaaf697e491207caccb2f5e561980f05b9460889ae2638af096a5b803f014766839a98f612c8914968dca773e27c32b08cfbb057ab57dacf4326c7495379c8b31adc35a4b609366bf1c7ee339ff8fdce90309fad9daf5c96ba2483b480884c6d8a0cadbb50c4941f2a375004494d05becab4d8a305883643531d19705b4b3a7271eca30dceb702bad8ee66371fc0f9acc606f07a0b1229fec96bdca9db89eca2be36c5d2da05cc1efb37d32af607b2a011f9ca44c58f2de6240e1b078148d7fdfb855bb7b4a466c56e608ff7185c9880d43efd42b95b6598d55d4327b6ac191c74290651980a4fb3fb4eca0f18e05f115a80fc8a99e6ccaec0efe3cc34ab7e3a1b2edef0c4db6fc9e41b2e410d6cb45c970fbfb116752545f8aa83de7c7ad8e8f1860b541e7fd2a5ebf7a713c88b1229c34573074711480116373f02e66a85570c1f2909001a1f62c5ecd093ae923fe9c8c851537e4e475a78063bbb69952e4e047a78f3835dd56370eeffde8c2c62cf219938d432242b5a266ce0a90b9de0ed315710ce9d14cf2e6ed032d8ddbbb2e3114d1b0a626b55f0af3a286dff215d6a71b76d276c0e13f6865928a12f7bb11059c89b0c9fd0861696d657e1974bc192d246901b1a802d3acd8fd640a130e19a635b9e101892488de5f96ad605f13f060d0a7c8ca32b0730785cb6a8fb9da05d0a5321e60088130d8854c8c5353c7e4f74a59fc9a3e3f4698f9fd29c88e0562de2974b9393f8fa4ec82eee10215476e5e21a314d69da4c8062f42574f603b669d59718d96386456a1619ddd2fc29d56381114dcc7710d8058d34ccb8f7f6d6c7f650881700f916a04a156a792c4c2e09971cd10c6c9434597fd441354c5632903016dc4845fd0a63d7460f679126b29be1e5723957abaa8b4700b9a2122a16c763582987910006e2532400cb77316b69ad627a82e08cff1af2534c9631158975fb4876068a14556dcc462bc17e5acb333968d7401a3f791e66ff3e7a5d78266fc4de24dc72d2dc528fae8b7f51dba73d41b1be02dc69d211b507851ddf04914b8f9b03897f7d5d2366c5b713365182659639e471ee12efc211f379e5ab52d0a3cada2318fe69811995c45ce669b636319a5f958c78349613983997d7ab2d78a83b5eb1e15911a6f1af5858b6c72318b4347cc7b8489b27c42c9f260819e2edbf13cb88a41242fff7df423fed95a1f26e3d525128f4bc395ca14e29be951136a1fe4e3f9266e4eb7bf901914de62edb5353bfa9495be964048bccd8825f2a4b823e23a2964c94d78c46458f36c4daabdf6d09ffad5273cd739981cfe151ad1f601a13a64440835134c40c9557978f660f43732560508649fcc775cae54a579cf3901192d5ab6691f7db8f3baf943652ffe7df27c346e6c5694a593095cb56e5145c8578182bbaeea512f57cdcbe1a784f40a607e071cac6ac11f9c71605efc9ba405ce5491c98284cac5b3d12ce75e83f3bec4b263f203455138885b7af6e602ab1a2a30725c7e33cb5fc37f8d7a432b73c4541ea9376d5e7b8611ebe487740e38389de8e9eacdd798ab17c859fb2f74e609841d68f7b4dd1ac44af23e52fad65239cdaa01af9d2e9017b378cd31efad6aabc5e2bbe57aaae1e609c86f7618905fb1ae7f45c8512a88f74b175389dec5e4ce6468ac0384770e9f392d80d3bf089b2a95f5891edb0a210e34e06b20a0e9a91c0bd90e165f40938695d8f97d39094c1bc8e487329f364fd0d7bd2d18621191352774e2515fb3b85386edc4fef44af274bbbc3029afd94e34e7a808850e3f95910e22eb92cfcfae4bd9d742a4719416a15e1644f408c213a1ac33467cb1c8b50d68b5a2a4c359a001194f2f390e87a1b9b1f9574f795b52b2e589023beb6dbb7e36c904a2601f20b29828b8de3aa0885430ea7f7e55433136965dc0dbfd061a16226bd4b76cf5eb2001e165d8fec94ee23058864e2bf309a47f0c22976c894e45603ba1a60228346a7501e0a5bd83aecf71053a828c5a37bf2ecf67cc82ad9f3874511f862c197d03a950599598db87efcfb87110161d4861ccba8449e908de88a4ba545030c25879fae48776480015a2d2cdac387e91d62446780900ff0b477adfef178902c9c23b8af3cad64bef77b077ef947c5051d1d55b78b793e00dd59295c60feb8e05d9467605b241169a1d2573a88173d906fb0376c233dc509e2c645503884654016737513a38aef04aa995052c89bec012ccc344b5d921f7d49f1667c4e288c0695d831ff636b861cd79ca94463ce6aa0048cd4bc2438da0fe4dc27fef339779f1fc8e070bb261dfea46da6560a879e84bc49ab383d2c60b0c79ea711cd9c58291b213ced16efb17e2d41ceb4f8b8975e3a01212c191eeebf31879add73a790ca83f78145753a47b861686653751776cadf784f2ea321ce7fc4d86d6e1749552be70165d44af079fe0d0e3639c97973ee43531423f3533dd1459788d81731fe07b2924fecd4619a59fd113381e2e2ea55675cf511cba720c780c5342186fa09bbbe7ca7aaf8bdb653cf136f06eb62255edc76a9be476a02a9d79d4b58a8c9857db4010fbb2939677259f2d2c3ed9ebca773d3461a136823befba4098e8c94081a22440ac8f4646b86c8de41dccda7981158745e8ffe4cf5ca94cfa2c2e718147fa6b5ad2e9d71e1d79b595151e4531545585fa4362ac7783c4dd853c83c9fd194ce666a5884092370b074bf1a6eab2f0b3d016c8b08c480c053726341fd6734701bb3273037e8328356562608e23e1f02a6ff6f2272a36e03ed8853bf0fbe690b93ea60eb6a83f6b57c19fc24bfa61cd3c43498ac186abaab01aae8b5d08f799ccd7bdc57c70024da6a237406d382b79d174c539bba927d447bc09896543a92c3e8104c33f23a41c5d0f7c54d6082d1bab16158e4c400722fc318ca274a6b66c02a768b230f145d8b8a43d53eb212492ee7d5920d57a78ce979d8f5ed07ab7c6681461d2d000a42db11334324562842afdb292c084a66449e4234dac2d559887a5f3e2e88cde4b336c03eab824d40287f89a9b1ba6e55001e8ab707530dcb57a27532904712084c232b1b1755f43fd32e592d7081efa7297830954505384b53fe3a7737e99eac478eab6fff25f04273752ad1f032e19ef6c392ba98a368cf773dbe868093be991135d476d3a1c38b425e563458bcee92d6c4ab6991b82a2dd653b1323acfd1b160f58f45d7853dbcf73b7c99a03f74cbaf641a273aca408579d2cb239b5735eeccc19b5ba4c32ed62cca64b3f4f1ac4d4e3d334daae283c4d7483ae44ea72bec17eadc07c0ef0b62a62b57bfe2f1288464ca87a0498a39bb47190260d240a8876ecb62fb5d87fbbdcde8d6c0271fc62811b5a42a050e54b0473f6fafeab47bed0f8e04b19cd607fb031bab5896d00e4e213522a8629b83469717477a64ece5d43c2d5092b541c42da614d6d7137961c647c1b5736e620924a25857549f26d55a230f66f1bf1832ae52daddb207508f10ce524091a12ae3c8362881ae366896856431db68095ab7f27a72d0c7d082eb149a9632597dd0f7a6a3abeff67b902dcebba98f1e9afd3948eef61e7b519b8461d280f18e3a3448de5a3e4052137ab9c140c4af365dc284f5e291b7cc7d34c71e19f79b75f4152f978eb0888345ee20efef057f1303e555fc49b1607b90568eaa96c437d3c00b2284071f4be47046c2c9fa468f6502d2c92813448e0c88cf049cbb4e6c6499d4f345f537e3b318dc94bae37bede664d725041f0fac3d00203d2200e8f7953257a6b5ef9afa0421b5d8f3ad014853fa8c359113273b2bab4833fcf7725395e3d4a71701256a2c970539caa94c10544b6231a728fe7451f0b48ae97c0594a1127fb15fbd4ae16367cd5aca4be1a5fd7f69becdca26331c7fd1679911df4349ef1f46509e3db0b62e3a45d193cfe38d8e21e04c98508408c26baff3ff64a8ed037ca67addc546d3540d5344f8b997fdb1f896392ed3858de4f08ddba7f21457240579dae57480c45968233253c62b6a0af7c4ddc10506c09c86d5909f9198bf1b33816fbc6fac71bafd0f56e7af1de959612c2a5cf63875d4545990fbdec8ac8953982f7f1f404a7103bfe392b342a8454429f158564fc9f8c125eb4afb1ce0343cff17dc86511d3f4d641e776fc97e0bbe655661327d346b5ae04aa3b2d401f6729a27feaa84c2d2d4000000049a81cada46dfbb93e06c75a28fc2aaa7fed50d3f8af627e246079183d8fc49ef2f1de94c1413ef4f7e73a230f8f4aead8663a493d5dea7c05ca7573acb5e64f	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006B21A343F"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

3096 regsvr32.exe
3096 regsvr32.exe

pid	process
3096	regsvr32.exe
3096	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dart.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-134-0x0000000180000000-0x000000018000B000-memory.dmp

Filesize
44KB

Download
memory/3968-140-0x000001B4917A0000-0x000001B4917B0000-memory.dmp

Filesize
64KB

Download
memory/3968-141-0x000001B492170000-0x000001B492180000-memory.dmp

Filesize
64KB

Download
memory/3968-142-0x000001B494720000-0x000001B494724000-memory.dmp

Filesize
16KB

Download
memory/3968-143-0x000001B494A80000-0x000001B494A84000-memory.dmp

Filesize
16KB

Download
memory/3968-144-0x000001B494A80000-0x000001B494A84000-memory.dmp

Filesize
16KB

Download
memory/3968-145-0x000001B494AA0000-0x000001B494AA4000-memory.dmp

Filesize
16KB

Download
memory/3968-146-0x000001B494A90000-0x000001B494A91000-memory.dmp

Filesize
4KB

Download
memory/3968-147-0x000001B494B80000-0x000001B494B84000-memory.dmp

Filesize
16KB

Download
memory/3968-148-0x000001B494B80000-0x000001B494B84000-memory.dmp

Filesize
16KB

Download
memory/3968-149-0x000001B494C10000-0x000001B494C14000-memory.dmp

Filesize
16KB

Download
memory/3968-150-0x000001B494B40000-0x000001B494B44000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads