General
Target
Filesize
Completed
Task
intelsoftwareassetmanagerservice.exe
3MB
20-05-2022 12:28
behavioral2
Score
1/10
MD5
SHA1
SHA256
SHA256
5bdebce7118d30a387fec0f9329c5437
83a66c54772017c6fa0e243bcf5bbfebd2c29518
b8f8ddaba5754af65c9b7c762d69e1b2bd3702307c41589977759d813bf78635
96676730f1529972ee7f6582d43d856ffeed4706d26042c961ed14598eb03c0be410c1fe4d993b5a2eb594a7de0eba5b9004c713e29ae7e932947beda1de80b4
Malware Config
Signatures 6
Filter: none
Defense Evasion
-
Modifies Internet Explorer settingsexplorer.exe
Tags
TTPs
Reported IOCs
description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry classexplorer.exe
Reported IOCs
description ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings explorer.exe -
Opens file in notepad (likely ransom note)NOTEPAD.EXE
Tags
Reported IOCs
pid process 3904 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListenerexplorer.exe
Reported IOCs
pid process 2128 explorer.exe -
Suspicious use of AdjustPrivilegeTokensvchost.exeexplorer.exe
Reported IOCs
description pid process Token: SeManageVolumePrivilege 4240 svchost.exe Token: SeShutdownPrivilege 2128 explorer.exe Token: SeCreatePagefilePrivilege 2128 explorer.exe -
Suspicious use of FindShellTrayWindowexplorer.exe
Reported IOCs
pid process 2128 explorer.exe
Processes 7
-
C:\Users\Admin\AppData\Local\Temp\intelsoftwareassetmanagerservice.exePID:4948"C:\Users\Admin\AppData\Local\Temp\intelsoftwareassetmanagerservice.exe"
-
C:\Windows\system32\NOTEPAD.EXEPID:3904"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ShowSplit.txtOpens file in notepad (likely ransom note)
-
C:\Windows\system32\svchost.exePID:4120C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
-
C:\Windows\system32\rundll32.exePID:1852"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
-
C:\Windows\System32\svchost.exePID:4240C:\Windows\System32\svchost.exe -k UnistackSvcGroupSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exePID:2364C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
-
C:\Windows\explorer.exePID:2128C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingModifies Internet Explorer settingsModifies registry classSuspicious behavior: AddClipboardFormatListenerSuspicious use of AdjustPrivilegeTokenSuspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/4240-130-0x000001D114E40000-0x000001D114E50000-memory.dmp
-
memory/4240-131-0x000001D114F40000-0x000001D114F50000-memory.dmp
Title
Loading data