Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2022, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe
Resource
win10v2004-20220901-en
General
-
Target
f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe
-
Size
332KB
-
MD5
a2f43c994764a2e52f6b9af48117e2fc
-
SHA1
921f75cd7cfb96257c80abb4c74d126cf07d757f
-
SHA256
f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a
-
SHA512
2f42bd41f82bfefb96881725442f2b8fe6972386e390ecfa1214a57735cd8b43d455dcba4566d418c685a642564443c5ea18a6214750566d12b91d196d0e3838
-
SSDEEP
3072:fEXkv56WiCLSI97d5FGiM61c7QityMxg++YN/wGYkjyyQpdbtAJgc:4ILd9dXccQbWoN4G72vAv
Malware Config
Extracted
danabot
153.92.223.225:443
198.15.112.179:443
185.62.56.245:443
66.85.147.23:443
-
embedded_hash
61A1CB063216C13FFD2E15D7F3F515E2
-
type
loader
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8
-
payload_urls
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet/shared/xmrig.exe
Extracted
redline
installs-49
94.140.112.157:29329
-
auth_value
f137ab12b29192785aff1f9a524f0090
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2452-134-0x0000000002C50000-0x0000000002C59000-memory.dmp family_smokeloader -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 64 3196 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 884 BB.exe 2264 1761.exe 3948 Miner.exe 1920 installs49.exe 3108 Miner.exe 1436 Miner.exe 5064 Miner.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 1761.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Miner.exe -
Loads dropped DLL 1 IoCs
pid Process 3196 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3196 set thread context of 1084 3196 rundll32.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 3876 2264 WerFault.exe 85 3500 884 WerFault.exe 83 444 3108 WerFault.exe 96 4036 5064 WerFault.exe 104 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe -
Checks processor information in registry 2 TTPs 46 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4532 schtasks.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1352 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2056 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2452 f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe 2452 f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2056 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2452 f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeDebugPrivilege 2264 1761.exe Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeDebugPrivilege 3108 Miner.exe Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeDebugPrivilege 1084 rundll32.exe Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeDebugPrivilege 1084 rundll32.exe Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeDebugPrivilege 5064 Miner.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1084 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2056 Process not Found 2056 Process not Found -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2056 wrote to memory of 884 2056 Process not Found 83 PID 2056 wrote to memory of 884 2056 Process not Found 83 PID 2056 wrote to memory of 884 2056 Process not Found 83 PID 2056 wrote to memory of 2264 2056 Process not Found 85 PID 2056 wrote to memory of 2264 2056 Process not Found 85 PID 2056 wrote to memory of 2264 2056 Process not Found 85 PID 2264 wrote to memory of 3948 2264 1761.exe 86 PID 2264 wrote to memory of 3948 2264 1761.exe 86 PID 2264 wrote to memory of 3948 2264 1761.exe 86 PID 3948 wrote to memory of 3512 3948 Miner.exe 87 PID 3948 wrote to memory of 3512 3948 Miner.exe 87 PID 3948 wrote to memory of 3512 3948 Miner.exe 87 PID 3512 wrote to memory of 852 3512 cmd.exe 89 PID 3512 wrote to memory of 852 3512 cmd.exe 89 PID 3512 wrote to memory of 852 3512 cmd.exe 89 PID 3512 wrote to memory of 1352 3512 cmd.exe 90 PID 3512 wrote to memory of 1352 3512 cmd.exe 90 PID 3512 wrote to memory of 1352 3512 cmd.exe 90 PID 2264 wrote to memory of 1920 2264 1761.exe 91 PID 2264 wrote to memory of 1920 2264 1761.exe 91 PID 2264 wrote to memory of 1920 2264 1761.exe 91 PID 3512 wrote to memory of 4532 3512 cmd.exe 95 PID 3512 wrote to memory of 4532 3512 cmd.exe 95 PID 3512 wrote to memory of 4532 3512 cmd.exe 95 PID 3512 wrote to memory of 3108 3512 cmd.exe 96 PID 3512 wrote to memory of 3108 3512 cmd.exe 96 PID 3512 wrote to memory of 3108 3512 cmd.exe 96 PID 884 wrote to memory of 3196 884 BB.exe 97 PID 884 wrote to memory of 3196 884 BB.exe 97 PID 884 wrote to memory of 3196 884 BB.exe 97 PID 3196 wrote to memory of 1084 3196 rundll32.exe 100 PID 3196 wrote to memory of 1084 3196 rundll32.exe 100 PID 3196 wrote to memory of 1084 3196 rundll32.exe 100 PID 3196 wrote to memory of 1084 3196 rundll32.exe 100 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe"C:\Users\Admin\AppData\Local\Temp\f02ac5aad7f427e1c595e3bb7f70b1fcc9ad8b0f2aba266a22496ee813305c5a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2452
-
C:\Users\Admin\AppData\Local\Temp\BB.exeC:\Users\Admin\AppData\Local\Temp\BB.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll,start C:\Users\Admin\AppData\Local\Temp\BB.exe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#613⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
PID:1084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 5202⤵
- Program crash
PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\1761.exeC:\Users\Admin\AppData\Local\Temp\1761.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\Miner.exe"C:\Users\Admin\AppData\Local\Temp\Miner.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Miner.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:852
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:1352
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:4532
-
-
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 16165⤵
- Program crash
PID:444
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\installs49.exe"C:\Users\Admin\AppData\Local\Temp\installs49.exe"2⤵
- Executes dropped EXE
PID:1920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 15722⤵
- Program crash
PID:3876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2264 -ip 22641⤵PID:1040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 884 -ip 8841⤵PID:3940
-
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exeC:\Users\Admin\AppData\Local\ServiceHub\Miner.exe1⤵
- Executes dropped EXE
PID:1436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3108 -ip 31081⤵PID:1640
-
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exeC:\Users\Admin\AppData\Local\ServiceHub\Miner.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 15682⤵
- Program crash
PID:4036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5064 -ip 50641⤵PID:5004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612B
MD581ab0e59097e03cb04c32378024d6628
SHA1cc2a7a335f905e787906b6a0820acfbd4c5d0ed2
SHA256704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533
SHA5123dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
436KB
MD5f1ae38e744808d4df42eed53c896323a
SHA10d0edac38a4e1a1c073aa99fc1009230a05deb74
SHA2569508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
SHA512b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6
-
Filesize
436KB
MD5f1ae38e744808d4df42eed53c896323a
SHA10d0edac38a4e1a1c073aa99fc1009230a05deb74
SHA2569508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
SHA512b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6
-
Filesize
2.5MB
MD5c08c8e5c12cff34bb96614da2a7d8463
SHA18087524b4356d7c6e7386eb70f6beeb27cace138
SHA2564df7fbfcf173cc99042df7b0750d314ba4cbd05c0b7baeed63bacdf021194aac
SHA512f1943a66940f0919e1ce53a34e2ea7b0dd352cffed0d95a6f543f24459cbc6acfcb0bf2979fd70b3416bae144752a66a10a108411e5a688c735147b874dfceef
-
Filesize
2.5MB
MD5c08c8e5c12cff34bb96614da2a7d8463
SHA18087524b4356d7c6e7386eb70f6beeb27cace138
SHA2564df7fbfcf173cc99042df7b0750d314ba4cbd05c0b7baeed63bacdf021194aac
SHA512f1943a66940f0919e1ce53a34e2ea7b0dd352cffed0d95a6f543f24459cbc6acfcb0bf2979fd70b3416bae144752a66a10a108411e5a688c735147b874dfceef
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
3.4MB
MD50a4be075ff7c43377937669f2e6c040a
SHA1d097e78537fa7876757256583a47024bf0006fd6
SHA256351342c60677616c25d8869362ba951102519c9df9761d049a55409fe51387bf
SHA512cd9b365a889d36ab480ca1ab4f09351b84cff3f0ec26d6b0da5c82507435d9b9b84d835e17b1d41ac73815513dfa7082615719cf388c05f8f4abdf7d8e449e2c
-
Filesize
3.4MB
MD50a4be075ff7c43377937669f2e6c040a
SHA1d097e78537fa7876757256583a47024bf0006fd6
SHA256351342c60677616c25d8869362ba951102519c9df9761d049a55409fe51387bf
SHA512cd9b365a889d36ab480ca1ab4f09351b84cff3f0ec26d6b0da5c82507435d9b9b84d835e17b1d41ac73815513dfa7082615719cf388c05f8f4abdf7d8e449e2c
-
Filesize
3.1MB
MD5383f37499db8755bc905cef05b7b3880
SHA12adcf085c023c2e5e26f0801a3c6f0979b3a83bb
SHA2564ccd892db7a892251931d4fc98ae55009302ac65d39bdf4c0df11ccd819dc380
SHA5129c70e1a2ffa1433abd143535aa482b37b56be93f98d30a64fade35c18ba185bffa9748b3ced10e8d369028dd7e5ed15dec60e68ea332dbcc60fb9727002873bc
-
Filesize
22KB
MD599e972f6d63ded5a9f3d6a06ff481bec
SHA1b3c98ed6975c649454bce3d88806ad1883e22327
SHA256d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490
SHA512ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416
-
Filesize
88KB
MD524f5400ea175ed8a981c5f4184587ac4
SHA124b9e12675b4e5f389eb01d6c423e123909d02d9
SHA2563be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4
SHA5124d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669
-
Filesize
88KB
MD524f5400ea175ed8a981c5f4184587ac4
SHA124b9e12675b4e5f389eb01d6c423e123909d02d9
SHA2563be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4
SHA5124d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669
-
Filesize
3KB
MD572051cb2a635223b61f1fe158c77671c
SHA11a569f9476a5e5f61e9046b564e70332d066616a
SHA2565671ce950a48143b72dccd3de7fb179df6926ac5be63a0b99c5d26907c2cb7a3
SHA5128ce5303cb3f6fa4af28f75a3774024d8ac25836a6ff45497aba6795bfef0e22a451302580753ff1e736bde5dad0a33e5f3fe75d912643149b1c13188466fae6a