Resubmissions
19-11-2022 21:40
221119-1jgzlacd49 819-11-2022 13:48
221119-q4ed4adg34 1019-11-2022 06:26
221119-g7aqmscg91 1019-11-2022 05:30
221119-f67hjsbc8t 1015-11-2022 20:50
221115-zm3j2abf6y 1015-11-2022 20:50
221115-zmpm6sfh23 1015-11-2022 20:49
221115-zl6kasfg98 1015-11-2022 20:19
221115-y4ct9sff87 1014-11-2022 19:39
221114-yc4tnsdb92 1014-11-2022 19:34
221114-yakb9adb83 10Analysis
-
max time kernel
1801s -
max time network
1793s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Resource
win10v2004-20221111-en
General
-
Target
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
-
Size
307KB
-
MD5
0abe50c1509136bf62d2184ab439e7a5
-
SHA1
722a7e2a0dd66f506ba93d24946b8bf504b100c0
-
SHA256
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
-
SHA512
0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
-
SSDEEP
6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2352-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 15 IoCs
Processes:
rundll32.exeflow pid process 138 1672 rundll32.exe 209 1672 rundll32.exe 211 1672 rundll32.exe 288 1672 rundll32.exe 296 1672 rundll32.exe 326 1672 rundll32.exe 340 1672 rundll32.exe 375 1672 rundll32.exe 389 1672 rundll32.exe 409 1672 rundll32.exe 436 1672 rundll32.exe 456 1672 rundll32.exe 474 1672 rundll32.exe 508 1672 rundll32.exe 536 1672 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
DA14.exegatjchggatjchggatjchgpid process 4020 DA14.exe 2392 gatjchg 4316 gatjchg 2736 gatjchg -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Defender\\ja-JP\\close_x.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 1672 rundll32.exe 1268 svchost.exe 3628 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1672 set thread context of 2596 1672 rundll32.exe rundll32.exe -
Drops file in Program Files directory 22 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll rundll32.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\MoreTools.aapp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp rundll32.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\ExtendScript.dll rundll32.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\BIBUtils.dll rundll32.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\ccloud_retina.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif rundll32.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\AXSLE.dll rundll32.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\close_x.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4196 4536 WerFault.exe 4268 4020 WerFault.exe DA14.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
gatjchggatjchgdb79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exegatjchgdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gatjchg -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exerundll32.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe -
Modifies registry class 3 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\740C6E5E25AA654FD88DA666B1EBEED90FA54E57 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\740C6E5E25AA654FD88DA666B1EBEED90FA54E57\Blob = 030000000100000014000000740c6e5e25aa654fd88da666b1ebeed90fa54e5720000000010000007a02000030820276308201dfa00302010202081c08fc567e50af68300d06092a864886f70d01010b050030613120301e06035504030c17446967694365726420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313131393036333432315a170d3234313131383036333432315a30613120301e06035504030c17446967694365726420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100be511652045d68698c79f2af315ccfa6f39d4bcbfdfa135513731f4467af056fb9e3571696888310ba56cbd9bbe76c13645f48ee15bb9ed6ac70f8ca4caf039397f36d34426c13a6295f3d2de3e6c7f9f3996490e34d789b6458101bada3599f0787abf53ea67726cc3268be5be8555cb6f8702ac099efe499ab3f45e83a53450203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365726420476c6f62616c20526f6f74204732300d06092a864886f70d01010b050003818100497d0110c0e9942845bca5c7c8b4b123b0695a8ed0b898d79915ecd2b53b93ee9e8d9215dd2d85509cfc553a3db5aaf8c2f4711979e7f4d1aed95bcb3b733e9d81129a6be87208fe22c7450663c6a3f37baa8a86bfa5d735a4604493aad4628a0e3ba04f979bb522195f070f592b2a591c24a1c95d843cb36194f19ef7b8dffb rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exepid process 2352 db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe 2352 db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exegatjchggatjchggatjchgpid process 2352 db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe 2392 gatjchg 4316 gatjchg 2736 gatjchg -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeDebugPrivilege 1672 rundll32.exe Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeCreatePagefilePrivilege 1192 -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
rundll32.exerundll32.exepid process 2596 rundll32.exe 1192 1192 1192 1192 1672 rundll32.exe 1192 1192 1192 1192 1192 1192 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
DA14.exerundll32.exesvchost.exedescription pid process target process PID 1192 wrote to memory of 4020 1192 DA14.exe PID 1192 wrote to memory of 4020 1192 DA14.exe PID 1192 wrote to memory of 4020 1192 DA14.exe PID 4020 wrote to memory of 1672 4020 DA14.exe rundll32.exe PID 4020 wrote to memory of 1672 4020 DA14.exe rundll32.exe PID 4020 wrote to memory of 1672 4020 DA14.exe rundll32.exe PID 1672 wrote to memory of 2596 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 2596 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 2596 1672 rundll32.exe rundll32.exe PID 1268 wrote to memory of 3628 1268 svchost.exe rundll32.exe PID 1268 wrote to memory of 3628 1268 svchost.exe rundll32.exe PID 1268 wrote to memory of 3628 1268 svchost.exe rundll32.exe PID 1672 wrote to memory of 5076 1672 rundll32.exe schtasks.exe PID 1672 wrote to memory of 5076 1672 rundll32.exe schtasks.exe PID 1672 wrote to memory of 5076 1672 rundll32.exe schtasks.exe PID 1672 wrote to memory of 2692 1672 rundll32.exe schtasks.exe PID 1672 wrote to memory of 2692 1672 rundll32.exe schtasks.exe PID 1672 wrote to memory of 2692 1672 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 4536 -ip 45361⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4536 -s 17721⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DA14.exeC:\Users\Admin\AppData\Local\Temp\DA14.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qieppoeedtppeh.tmp",Risetpqpdpi2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 190453⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4020 -ip 40201⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows defender\ja-jp\close_x.dll",cCdJeTI=2⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\AppData\Roaming\gatjchgC:\Users\Admin\AppData\Roaming\gatjchg1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\gatjchgC:\Users\Admin\AppData\Roaming\gatjchg1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\gatjchgC:\Users\Admin\AppData\Roaming\gatjchg1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Defender\ja-JP\close_x.dllFilesize
802KB
MD5f2d3b9d032fddcb9fa7b51956f1ae2d9
SHA1991714a4abb07fcf15a173b456873a36347e2ace
SHA256562366859673ec4892eb58423e28ca1ff6e522abcc53e809d6353989bf8ef8d5
SHA512eb39f2730ef5c9806b2735ce0dce4b4f4e29db834f7a859a1df3c00c4dfbedb2c9b3b52867e278f79e9c3a1f285c7ac9412b5f9a34f86f86440ed3e2c853828b
-
C:\Program Files (x86)\Windows Defender\ja-JP\close_x.dllFilesize
802KB
MD5f2d3b9d032fddcb9fa7b51956f1ae2d9
SHA1991714a4abb07fcf15a173b456873a36347e2ace
SHA256562366859673ec4892eb58423e28ca1ff6e522abcc53e809d6353989bf8ef8d5
SHA512eb39f2730ef5c9806b2735ce0dce4b4f4e29db834f7a859a1df3c00c4dfbedb2c9b3b52867e278f79e9c3a1f285c7ac9412b5f9a34f86f86440ed3e2c853828b
-
C:\ProgramData\{455CF15F-E931-14FA-1CC2-96370E30FAF8}\MicrosoftInternetExplorer2013.xmlFilesize
3KB
MD539809802833d898662c89d1d8ae84404
SHA1d58f9d9ee2bd76ef129e48266cf94b72a28d0bb5
SHA25630224904419fbc821d52e4e78ceed00115c5a74aa3581b89dc5026223194171a
SHA512907515f52c1c2e88862a2d1ce5fb2554eae5accd0c6bf0ce64ff011e9d62f1c06160118890e749e601338abb7d29498b4fe28ce8b5ed35a79c412349aa9e7b95
-
C:\ProgramData\{455CF15F-E931-14FA-1CC2-96370E30FAF8}\MicrosoftOffice2010Win32.xmlFilesize
71KB
MD5b08a8c2f6941a1a12aa05180aec1dbb9
SHA1c09f9207502aca3866b182d79221addcca76f4d1
SHA256843f89d7b8b11907ee5dea2e0108dbb10ce3883d3b7505c55f4e1082db879d3f
SHA5128de3748bd731835154f3d371ca0174c2b17da64fd39d479b132947304e6ff1d7f95e344aad64b6b9aa831ae37b3ed00d3a05efaf6aed67619e9d69a1e9b89bf7
-
C:\ProgramData\{455CF15F-E931-14FA-1CC2-96370E30FAF8}\MicrosoftOffice2013BackupWin64.xmlFilesize
12KB
MD5d24bea7d3b999f28e375d1d061a03d97
SHA195b207708762aa4752c77728128cbe3033646204
SHA25657184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2
SHA5123d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e
-
C:\ProgramData\{455CF15F-E931-14FA-1CC2-96370E30FAF8}\Qsswsuaweuhyoe.tmpFilesize
3.5MB
MD5959da320695c91a681f5e67a2081d4a6
SHA132b18840ae6c21018fd7a8efe20a9a38d4a651e4
SHA25644c0e5b65bf85daab5d107da77cc38373d97a847c847847e299377bd88c9d4b1
SHA51251cb0f59c673dc4310a6392bf399a9ce89a4287c91d8ea06164c609fb063a8d392160ad35f2d1837eac5a48b3b2788d001178614129ea5ff83d63ab060c322aa
-
C:\ProgramData\{455CF15F-E931-14FA-1CC2-96370E30FAF8}\RegisterInboxTemplates.ps1Filesize
611B
MD505f7a98933d942ced40039a39cdb3fda
SHA1c7d59ec61f4e454b0c8e38d921fb5e7f127ee46d
SHA256a9b8f3753fb1adf3fdd9558cd49e0be28d0fd781eb192ff9e8b0cc736ee173eb
SHA512dc01d47114be1fece3b4a87498194ae8c102d863f384e4b45009d5ddc8e1bfe77ecab99bf8ea76c53177a847b312f5a743ac9f06eb4a3619b91ec2adf19d4f34
-
C:\ProgramData\{455CF15F-E931-14FA-1CC2-96370E30FAF8}\setup.iniFilesize
214B
MD5d8b2e1bfe12db863bdccdd49a5e1c8b5
SHA19c979907f03887b270d4e87b0cdd5377cff3692c
SHA25600b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301
SHA5123bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41
-
C:\Users\Admin\AppData\Local\Temp\DA14.exeFilesize
1.2MB
MD5578ecff2823a463b85cd7888931e37e0
SHA1e5dc6560471eb54c6f1700aef624e4f316f0332d
SHA256b92ac3c77eacb6955e2ccec9943821d016a2593b64ac608bd4c98f61b795f0f7
SHA51239f599943edb237e79b51fdba72c80bca2063d2e8642dea9ebacd9f1403e96c8cc190d32db8e1c1b44bd292042d0550d106ef39cb0850c91aeafe6d9209b499a
-
C:\Users\Admin\AppData\Local\Temp\DA14.exeFilesize
1.2MB
MD5578ecff2823a463b85cd7888931e37e0
SHA1e5dc6560471eb54c6f1700aef624e4f316f0332d
SHA256b92ac3c77eacb6955e2ccec9943821d016a2593b64ac608bd4c98f61b795f0f7
SHA51239f599943edb237e79b51fdba72c80bca2063d2e8642dea9ebacd9f1403e96c8cc190d32db8e1c1b44bd292042d0550d106ef39cb0850c91aeafe6d9209b499a
-
C:\Users\Admin\AppData\Local\Temp\Qieppoeedtppeh.tmpFilesize
802KB
MD5759e32c67ea3441582e9573471496f41
SHA1c8e8378787184363d256b91417e60f09ccb4258d
SHA256a5555d31a4f07e83f86100ce6f8242feccaa5157b10ccef2b48ab13dfac06ffd
SHA5125c5d8f5b0aca6a68ea7bf7a30a7fe8afc204514e76cf13c6d23eb0e2bcc6925dd36d65fde81a893a338ec61dfb5f0c2da1e0c4cf1c52856e5df9511ceca741d4
-
C:\Users\Admin\AppData\Local\Temp\Qieppoeedtppeh.tmpFilesize
802KB
MD5759e32c67ea3441582e9573471496f41
SHA1c8e8378787184363d256b91417e60f09ccb4258d
SHA256a5555d31a4f07e83f86100ce6f8242feccaa5157b10ccef2b48ab13dfac06ffd
SHA5125c5d8f5b0aca6a68ea7bf7a30a7fe8afc204514e76cf13c6d23eb0e2bcc6925dd36d65fde81a893a338ec61dfb5f0c2da1e0c4cf1c52856e5df9511ceca741d4
-
C:\Users\Admin\AppData\Roaming\gatjchgFilesize
307KB
MD50abe50c1509136bf62d2184ab439e7a5
SHA1722a7e2a0dd66f506ba93d24946b8bf504b100c0
SHA256db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
SHA5120c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
-
C:\Users\Admin\AppData\Roaming\gatjchgFilesize
307KB
MD50abe50c1509136bf62d2184ab439e7a5
SHA1722a7e2a0dd66f506ba93d24946b8bf504b100c0
SHA256db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
SHA5120c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
-
C:\Users\Admin\AppData\Roaming\gatjchgFilesize
307KB
MD50abe50c1509136bf62d2184ab439e7a5
SHA1722a7e2a0dd66f506ba93d24946b8bf504b100c0
SHA256db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
SHA5120c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
-
C:\Users\Admin\AppData\Roaming\gatjchgFilesize
307KB
MD50abe50c1509136bf62d2184ab439e7a5
SHA1722a7e2a0dd66f506ba93d24946b8bf504b100c0
SHA256db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
SHA5120c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
-
\??\c:\program files (x86)\windows defender\ja-jp\close_x.dllFilesize
802KB
MD5f2d3b9d032fddcb9fa7b51956f1ae2d9
SHA1991714a4abb07fcf15a173b456873a36347e2ace
SHA256562366859673ec4892eb58423e28ca1ff6e522abcc53e809d6353989bf8ef8d5
SHA512eb39f2730ef5c9806b2735ce0dce4b4f4e29db834f7a859a1df3c00c4dfbedb2c9b3b52867e278f79e9c3a1f285c7ac9412b5f9a34f86f86440ed3e2c853828b
-
memory/1268-171-0x0000000003E80000-0x00000000049C8000-memory.dmpFilesize
11.3MB
-
memory/1268-176-0x0000000003E80000-0x00000000049C8000-memory.dmpFilesize
11.3MB
-
memory/1268-163-0x0000000003E80000-0x00000000049C8000-memory.dmpFilesize
11.3MB
-
memory/1672-146-0x0000000007020000-0x0000000007B68000-memory.dmpFilesize
11.3MB
-
memory/1672-150-0x0000000005210000-0x0000000005350000-memory.dmpFilesize
1.2MB
-
memory/1672-147-0x0000000005210000-0x0000000005350000-memory.dmpFilesize
1.2MB
-
memory/1672-148-0x0000000005210000-0x0000000005350000-memory.dmpFilesize
1.2MB
-
memory/1672-149-0x0000000005210000-0x0000000005350000-memory.dmpFilesize
1.2MB
-
memory/1672-139-0x0000000000000000-mapping.dmp
-
memory/1672-158-0x0000000007020000-0x0000000007B68000-memory.dmpFilesize
11.3MB
-
memory/1672-145-0x0000000007020000-0x0000000007B68000-memory.dmpFilesize
11.3MB
-
memory/1672-152-0x0000000005210000-0x0000000005350000-memory.dmpFilesize
1.2MB
-
memory/1672-151-0x0000000005210000-0x0000000005350000-memory.dmpFilesize
1.2MB
-
memory/2352-132-0x0000000000912000-0x0000000000927000-memory.dmpFilesize
84KB
-
memory/2352-135-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2352-134-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2352-133-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/2392-180-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2392-179-0x00000000008F3000-0x0000000000909000-memory.dmpFilesize
88KB
-
memory/2392-181-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2596-154-0x0000000000F50000-0x0000000001200000-memory.dmpFilesize
2.7MB
-
memory/2596-159-0x00000263C2230000-0x00000263C24F1000-memory.dmpFilesize
2.8MB
-
memory/2596-155-0x00000263C2230000-0x00000263C24F1000-memory.dmpFilesize
2.8MB
-
memory/2596-157-0x00000263C3CA0000-0x00000263C3DE0000-memory.dmpFilesize
1.2MB
-
memory/2596-153-0x00007FF639A76890-mapping.dmp
-
memory/2596-156-0x00000263C3CA0000-0x00000263C3DE0000-memory.dmpFilesize
1.2MB
-
memory/2692-175-0x0000000000000000-mapping.dmp
-
memory/2736-189-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2736-188-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2736-187-0x0000000000A34000-0x0000000000A49000-memory.dmpFilesize
84KB
-
memory/3628-172-0x0000000005490000-0x0000000005FD8000-memory.dmpFilesize
11.3MB
-
memory/3628-173-0x0000000005490000-0x0000000005FD8000-memory.dmpFilesize
11.3MB
-
memory/3628-169-0x0000000000000000-mapping.dmp
-
memory/4020-136-0x0000000000000000-mapping.dmp
-
memory/4020-142-0x0000000000A9F000-0x0000000000B8C000-memory.dmpFilesize
948KB
-
memory/4020-143-0x0000000000C90000-0x0000000000DBF000-memory.dmpFilesize
1.2MB
-
memory/4020-144-0x0000000000400000-0x000000000092F000-memory.dmpFilesize
5.2MB
-
memory/4316-183-0x0000000000BD4000-0x0000000000BE9000-memory.dmpFilesize
84KB
-
memory/4316-184-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/4316-185-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/5076-174-0x0000000000000000-mapping.dmp