Analysis
-
max time kernel
1801s -
max time network
1772s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2022 12:22
Static task
static1
Behavioral task
behavioral1
Sample
ChromeSetup.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ChromeSetup.exe
Resource
win10v2004-20220901-en
General
-
Target
ChromeSetup.exe
-
Size
260KB
-
MD5
318048af42c5a515d00f888051759aee
-
SHA1
08f02dd5f433599e79b4af8492d764b6cc20ae1d
-
SHA256
5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
-
SHA512
6b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
SSDEEP
3072:1XKqvYc10U0hP/6m1h45PssEZL6zXBPRga25dZRsX+Iw3mi03zbu/T0K/:xVH/2P/6m1astL6zXAnOcmi03vu0U
Malware Config
Extracted
danabot
172.86.120.215:443
213.227.155.103:443
103.187.26.147:443
172.86.120.138:443
-
embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2404-133-0x0000000002D80000-0x0000000002D89000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 19 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 77 2072 rundll32.exe 78 4132 rundll32.exe 79 4132 rundll32.exe 90 4132 rundll32.exe 92 4132 rundll32.exe 93 4132 rundll32.exe 94 4132 rundll32.exe 96 4132 rundll32.exe 98 4132 rundll32.exe 99 4132 rundll32.exe 102 4132 rundll32.exe 104 4132 rundll32.exe 105 4132 rundll32.exe 108 4132 rundll32.exe 110 4132 rundll32.exe 113 4132 rundll32.exe 115 4132 rundll32.exe 117 4132 rundll32.exe 118 4132 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
AFC.exebauwsjhbauwsjhbauwsjhpid process 4532 AFC.exe 4128 bauwsjh 4116 bauwsjh 3868 bauwsjh -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
AFC.exerundll32.exedescription pid process target process PID 4532 set thread context of 4132 4532 AFC.exe rundll32.exe PID 4132 set thread context of 3848 4132 rundll32.exe rundll32.exe -
Drops file in Program Files directory 15 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 48 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeChromeSetup.exebauwsjhbauwsjhbauwsjhdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bauwsjh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe -
Checks processor information in registry 2 TTPs 40 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AFC.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 AFC.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 AFC.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 AFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AFC.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor AFC.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AFC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1E37786E43415991F7BEB34190D751BE1955BAA8 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1E37786E43415991F7BEB34190D751BE1955BAA8\Blob = 0300000001000000140000001e37786e43415991f7beb34190d751be1955baa82000000001000000c5020000308202c13082022aa003020102020858341e2a2d8fcf6a300d06092a864886f70d01010b0500307a3139303706035504030c304d6963726f736f66742045434320545320526f6f7420436572746966696361746520417174686f726974792032303138311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313032373132323532335a170d3234313032363132323532335a307a3139303706035504030c304d6963726f736f66742045434320545320526f6f7420436572746966696361746520417174686f726974792032303138311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100e302d806ba612030ae0846787d76800f7fa689b4239d2a7e68a612d3af7d452f9b5b475fe8bd36f435a6f572e853d536a430ee562afbc50f0099962fbc927ff5b6b173ff19b21b450ce4378d1c7daad6999d65b9e2b4340188a4f82c1809ec14607c727c4197880d5d9c838080c08b75e94b69dba71363241fe57cc498d1e2c50203010001a350304e300f0603551d130101ff040530030101ff303b0603551d110434303282304d6963726f736f66742045434320545320526f6f7420436572746966696361746520417174686f726974792032303138300d06092a864886f70d01010b05000381810045fdc791fa062520f159a23c93f9ffbe762ee2e9947bac18015afaed4faf46f601934ab565c110e003be17fa25abcdaeaa45b89eef67164e8cc1a1e4acebff45f5b155bcf610ac726d43bd9cef69f34212a2bd8ebca910d287772e7737e0460fe0e9601a9eb2f97ae9bd6b59ca530665801da383d076c6fe6816d8615c5ece54 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ChromeSetup.exepid process 2404 ChromeSetup.exe 2404 ChromeSetup.exe 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 2940 -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
ChromeSetup.exebauwsjhbauwsjhbauwsjhpid process 2404 ChromeSetup.exe 4128 bauwsjh 4116 bauwsjh 3868 bauwsjh -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
svchost.exerundll32.exedescription pid process Token: SeShutdownPrivilege 1788 svchost.exe Token: SeShutdownPrivilege 1788 svchost.exe Token: SeCreatePagefilePrivilege 1788 svchost.exe Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeDebugPrivilege 4132 rundll32.exe Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 Token: SeShutdownPrivilege 2940 Token: SeCreatePagefilePrivilege 2940 -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
rundll32.exerundll32.exepid process 4132 rundll32.exe 3848 rundll32.exe 2940 2940 2940 2940 4132 rundll32.exe 2940 2940 2940 2940 -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
AFC.exerundll32.exedescription pid process target process PID 2940 wrote to memory of 4532 2940 AFC.exe PID 2940 wrote to memory of 4532 2940 AFC.exe PID 2940 wrote to memory of 4532 2940 AFC.exe PID 4532 wrote to memory of 4044 4532 AFC.exe agentactivationruntimestarter.exe PID 4532 wrote to memory of 4044 4532 AFC.exe agentactivationruntimestarter.exe PID 4532 wrote to memory of 4044 4532 AFC.exe agentactivationruntimestarter.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 2072 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 4132 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 4132 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 4132 4532 AFC.exe rundll32.exe PID 4532 wrote to memory of 4132 4532 AFC.exe rundll32.exe PID 4132 wrote to memory of 3848 4132 rundll32.exe rundll32.exe PID 4132 wrote to memory of 3848 4132 rundll32.exe rundll32.exe PID 4132 wrote to memory of 3848 4132 rundll32.exe rundll32.exe PID 4132 wrote to memory of 3440 4132 rundll32.exe schtasks.exe PID 4132 wrote to memory of 3440 4132 rundll32.exe schtasks.exe PID 4132 wrote to memory of 3440 4132 rundll32.exe schtasks.exe PID 4132 wrote to memory of 3892 4132 rundll32.exe schtasks.exe PID 4132 wrote to memory of 3892 4132 rundll32.exe schtasks.exe PID 4132 wrote to memory of 3892 4132 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AFC.exeC:\Users\Admin\AppData\Local\Temp\AFC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\agentactivationruntimestarter.exeC:\Windows\system32\agentactivationruntimestarter.exe2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 203273⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x50c1⤵
-
C:\Users\Admin\AppData\Roaming\bauwsjhC:\Users\Admin\AppData\Roaming\bauwsjh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\bauwsjhC:\Users\Admin\AppData\Roaming\bauwsjh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\bauwsjhC:\Users\Admin\AppData\Roaming\bauwsjh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AFC.exeFilesize
1.3MB
MD55bca63386bbada2c021da12fae6e0a2b
SHA19ac800c5c720e0c4f6a21fdb27211c4a9a875452
SHA256b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be
SHA512957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339
-
C:\Users\Admin\AppData\Local\Temp\AFC.exeFilesize
1.3MB
MD55bca63386bbada2c021da12fae6e0a2b
SHA19ac800c5c720e0c4f6a21fdb27211c4a9a875452
SHA256b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be
SHA512957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339
-
C:\Users\Admin\AppData\Local\Temp\Dhfteep.tmpFilesize
3.3MB
MD59ee66bd586450c037b6a14eed557a159
SHA16218331454c5204349b259ea260dd2161ce41371
SHA256d9cf31419401bed1796f49f2daea2f9eea468c3643ab9086ba61d24e3283db0f
SHA512eabdb81f278abe54088740b4139ca6d5b8cf99c014102128b9c3ebebf51b163d6ba0b06a066de1eeb33199c2a475c0ce585c102b7684ce2d086b493f842ee8a8
-
C:\Users\Admin\AppData\Roaming\bauwsjhFilesize
260KB
MD5318048af42c5a515d00f888051759aee
SHA108f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA2565e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA5126b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
C:\Users\Admin\AppData\Roaming\bauwsjhFilesize
260KB
MD5318048af42c5a515d00f888051759aee
SHA108f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA2565e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA5126b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
C:\Users\Admin\AppData\Roaming\bauwsjhFilesize
260KB
MD5318048af42c5a515d00f888051759aee
SHA108f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA2565e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA5126b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
C:\Users\Admin\AppData\Roaming\bauwsjhFilesize
260KB
MD5318048af42c5a515d00f888051759aee
SHA108f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA2565e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA5126b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
memory/2072-148-0x0000000000710000-0x0000000000713000-memory.dmpFilesize
12KB
-
memory/2072-153-0x0000000000750000-0x0000000000753000-memory.dmpFilesize
12KB
-
memory/2072-146-0x0000000000000000-mapping.dmp
-
memory/2072-152-0x0000000000750000-0x0000000000753000-memory.dmpFilesize
12KB
-
memory/2072-147-0x0000000000700000-0x0000000000703000-memory.dmpFilesize
12KB
-
memory/2072-149-0x0000000000720000-0x0000000000723000-memory.dmpFilesize
12KB
-
memory/2072-150-0x0000000000730000-0x0000000000733000-memory.dmpFilesize
12KB
-
memory/2072-151-0x0000000000740000-0x0000000000743000-memory.dmpFilesize
12KB
-
memory/2404-135-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/2404-134-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/2404-132-0x0000000002E07000-0x0000000002E1C000-memory.dmpFilesize
84KB
-
memory/2404-133-0x0000000002D80000-0x0000000002D89000-memory.dmpFilesize
36KB
-
memory/3440-186-0x0000000000000000-mapping.dmp
-
memory/3848-183-0x000001FD04C50000-0x000001FD04D90000-memory.dmpFilesize
1.2MB
-
memory/3848-188-0x000001FD03280000-0x000001FD034AE000-memory.dmpFilesize
2.2MB
-
memory/3848-181-0x00007FF641876890-mapping.dmp
-
memory/3848-184-0x0000000000F80000-0x000000000119E000-memory.dmpFilesize
2.1MB
-
memory/3848-185-0x000001FD03280000-0x000001FD034AE000-memory.dmpFilesize
2.2MB
-
memory/3848-182-0x000001FD04C50000-0x000001FD04D90000-memory.dmpFilesize
1.2MB
-
memory/3868-201-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/3868-200-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/3868-199-0x0000000002F3A000-0x0000000002F4F000-memory.dmpFilesize
84KB
-
memory/3892-187-0x0000000000000000-mapping.dmp
-
memory/4044-139-0x0000000000000000-mapping.dmp
-
memory/4116-197-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4116-195-0x0000000002E4A000-0x0000000002E5F000-memory.dmpFilesize
84KB
-
memory/4116-196-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4128-191-0x0000000002E17000-0x0000000002E2C000-memory.dmpFilesize
84KB
-
memory/4128-192-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4128-193-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4132-171-0x0000000000400000-0x0000000000D9C000-memory.dmpFilesize
9.6MB
-
memory/4132-170-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-169-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-172-0x00000000028D0000-0x000000000338C000-memory.dmpFilesize
10.7MB
-
memory/4132-168-0x00000000028D0000-0x000000000338C000-memory.dmpFilesize
10.7MB
-
memory/4132-174-0x00000000028D0000-0x000000000338C000-memory.dmpFilesize
10.7MB
-
memory/4132-176-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-175-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-177-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-178-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-179-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-180-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-167-0x0000000000000000-mapping.dmp
-
memory/4532-165-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-143-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4532-173-0x00000000056E0000-0x000000000619C000-memory.dmpFilesize
10.7MB
-
memory/4532-166-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-142-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4532-145-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4532-164-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-141-0x0000000004B40000-0x0000000004E0C000-memory.dmpFilesize
2.8MB
-
memory/4532-140-0x000000000326F000-0x0000000003390000-memory.dmpFilesize
1.1MB
-
memory/4532-159-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-163-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-162-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-161-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-160-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-158-0x00000000056E0000-0x000000000619C000-memory.dmpFilesize
10.7MB
-
memory/4532-157-0x00000000056E0000-0x000000000619C000-memory.dmpFilesize
10.7MB
-
memory/4532-136-0x0000000000000000-mapping.dmp
-
memory/4532-156-0x00000000056E0000-0x000000000619C000-memory.dmpFilesize
10.7MB
-
memory/4532-144-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4532-154-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB