Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 07:50
Static task
static1
Behavioral task
behavioral1
Sample
8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe
Resource
win10v2004-20221111-en
General
-
Target
8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe
-
Size
1.1MB
-
MD5
b478d340a787b85e086cc951d0696cb1
-
SHA1
563d9f1b35b4898d16aff1dccd8969299f7ab8b7
-
SHA256
8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95
-
SHA512
93c5a3010ae7bf41ad966902aeaa32e17faa0bad3e76248e2096478af5bf169f817c6914a775efc666967a425716609099be8bf69e2900613a65791e4fcd3e09
-
SSDEEP
24576:npe9a9aC/qF5EZNo9DzDn07bPVICwUmmHcexxnn:pwa9a9F54qH075kUmmHxx1n
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Executes dropped EXE 6 IoCs
Processes:
mnb.exefsdffc.exedfsds.exedaaca.exesppsvc.exedal.exepid process 1716 mnb.exe 1672 fsdffc.exe 1528 dfsds.exe 1680 daaca.exe 2008 sppsvc.exe 1352 dal.exe -
Drops startup file 2 IoCs
Processes:
dfsds.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dotNET.lnk dfsds.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sysdll32.lnk dfsds.exe -
Loads dropped DLL 13 IoCs
Processes:
8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exemnb.exepid process 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1716 mnb.exe 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dfsds.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\scrss = "C:\\Users\\Admin\\AppData\\Roaming\\dotNET.lnk" dfsds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wininit = "C:\\Sysdll32.lnk" dfsds.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\dal.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\dal.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\dal.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\dal.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\dal.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\dal.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fsdffc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fsdffc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz fsdffc.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE -
Modifies registry class 64 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "3" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupView = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616209" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9} Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
daaca.exedfsds.exesppsvc.exepid process 1680 daaca.exe 1528 dfsds.exe 1528 dfsds.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe 2008 sppsvc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
daaca.exedfsds.exesppsvc.exeExplorer.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1680 daaca.exe Token: SeDebugPrivilege 1528 dfsds.exe Token: SeDebugPrivilege 2008 sppsvc.exe Token: SeShutdownPrivilege 1256 Explorer.EXE Token: 33 580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 580 AUDIODG.EXE Token: 33 580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 580 AUDIODG.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 61 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
daaca.exepid process 1680 daaca.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exemnb.exedaaca.exedfsds.exeExplorer.EXEdescription pid process target process PID 1652 wrote to memory of 1716 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe mnb.exe PID 1652 wrote to memory of 1716 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe mnb.exe PID 1652 wrote to memory of 1716 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe mnb.exe PID 1652 wrote to memory of 1716 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe mnb.exe PID 1716 wrote to memory of 1672 1716 mnb.exe fsdffc.exe PID 1716 wrote to memory of 1672 1716 mnb.exe fsdffc.exe PID 1716 wrote to memory of 1672 1716 mnb.exe fsdffc.exe PID 1716 wrote to memory of 1672 1716 mnb.exe fsdffc.exe PID 1716 wrote to memory of 1528 1716 mnb.exe dfsds.exe PID 1716 wrote to memory of 1528 1716 mnb.exe dfsds.exe PID 1716 wrote to memory of 1528 1716 mnb.exe dfsds.exe PID 1716 wrote to memory of 1528 1716 mnb.exe dfsds.exe PID 1716 wrote to memory of 1680 1716 mnb.exe daaca.exe PID 1716 wrote to memory of 1680 1716 mnb.exe daaca.exe PID 1716 wrote to memory of 1680 1716 mnb.exe daaca.exe PID 1716 wrote to memory of 1680 1716 mnb.exe daaca.exe PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1680 wrote to memory of 1256 1680 daaca.exe Explorer.EXE PID 1528 wrote to memory of 2008 1528 dfsds.exe sppsvc.exe PID 1528 wrote to memory of 2008 1528 dfsds.exe sppsvc.exe PID 1528 wrote to memory of 2008 1528 dfsds.exe sppsvc.exe PID 1528 wrote to memory of 2008 1528 dfsds.exe sppsvc.exe PID 1528 wrote to memory of 2008 1528 dfsds.exe sppsvc.exe PID 1652 wrote to memory of 1352 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe dal.exe PID 1652 wrote to memory of 1352 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe dal.exe PID 1652 wrote to memory of 1352 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe dal.exe PID 1652 wrote to memory of 1352 1652 8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe dal.exe PID 1256 wrote to memory of 1568 1256 Explorer.EXE explorer.exe PID 1256 wrote to memory of 1568 1256 Explorer.EXE explorer.exe PID 1256 wrote to memory of 1568 1256 Explorer.EXE explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe"C:\Users\Admin\AppData\Local\Temp\8d41d5131fac719cc11823fb57bef9ef1ea063dbb8f52b235a3948bece039d95.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\mnb.exe"C:\Users\Admin\AppData\Local\Temp\mnb.exe" -s -psfghrykjrsetdrfhjryuygs3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Roaming\fsdffc.exe"C:\Users\Admin\AppData\Roaming\fsdffc.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1672 -
C:\Users\Admin\AppData\Roaming\dfsds.exe"C:\Users\Admin\AppData\Roaming\dfsds.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Roaming\sppsvc.exe"C:\Users\Admin\AppData\Roaming\sppsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Users\Admin\AppData\Roaming\daaca.exe"C:\Users\Admin\AppData\Roaming\daaca.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\dal.exe"C:\Users\Admin\AppData\Local\Temp\dal.exe"3⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1568
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc41⤵
- Suspicious use of AdjustPrivilegeToken
PID:580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD569947fc31894cd78ea651768721e26fa
SHA18f1d431dc0e082e29b8e420df9063737c56d6600
SHA2562e16065cb223473d0891696e8bed97c240baad32d66c71a9c35b3f2faa1c02b7
SHA512d1ebb7427a16201f827c918798e9c90a278b936846459f01ad09f4f095989792260cfab243f3a3655db2784a4a979f9badfd57462d0e7aa233f8c7f83a5fd1f0
-
Filesize
35KB
MD569947fc31894cd78ea651768721e26fa
SHA18f1d431dc0e082e29b8e420df9063737c56d6600
SHA2562e16065cb223473d0891696e8bed97c240baad32d66c71a9c35b3f2faa1c02b7
SHA512d1ebb7427a16201f827c918798e9c90a278b936846459f01ad09f4f095989792260cfab243f3a3655db2784a4a979f9badfd57462d0e7aa233f8c7f83a5fd1f0
-
Filesize
1.2MB
MD58d44f882db1ce5ec780096bd698cadeb
SHA15eb4589f28d054befe40750a7c54de8a6f1bd0fa
SHA256103df9101017558d967a8d246739520b7024a930319c3352278c19298ec6084e
SHA512f97ccc467096023d704a4761c253ac73ed9bd3173cf1b7734b3cc6433e53f9e26393b30922c6836349a834ce8293c8b55c742a2be3f89cef42f5d2e8473347e7
-
Filesize
1.2MB
MD58d44f882db1ce5ec780096bd698cadeb
SHA15eb4589f28d054befe40750a7c54de8a6f1bd0fa
SHA256103df9101017558d967a8d246739520b7024a930319c3352278c19298ec6084e
SHA512f97ccc467096023d704a4761c253ac73ed9bd3173cf1b7734b3cc6433e53f9e26393b30922c6836349a834ce8293c8b55c742a2be3f89cef42f5d2e8473347e7
-
Filesize
455B
MD51015a3e3736c0688394128483ba16017
SHA1c89eea067facad969ef507ae612508b6cd12bc97
SHA25680ff70c9f15231d1da30560d4aa2efc54301a68c79136f26aaca2138b750e303
SHA51282c780d3874e60acef251bb126c5144993f2fc14e1cfcd200fe269f1235c03b150e20e326db89f92ef369c2a88458356f8bb5444c835ad63c0e0d36bd2adcdcc
-
Filesize
661B
MD5d667d38143a65821a04b6d950ed5fb07
SHA18bfb9ed1a8a32b12f17448c146a9377d18bc95c7
SHA256933bb383a336ca0e95e65cb14ce33d806e8604d08157e13f5faca2319f020619
SHA5123bb34f1c3e4cbe492728aef1f92a3b8ecc0167b11ea22dd0a46ce37c533c86e17114853e8db1c00ddb271d11cd12b8d9e906250f95297407ff7fdaa00a301962
-
Filesize
415KB
MD5dda23435a7b21721ba96ae7fb9812e20
SHA12e179d2f38f04879d249aac505ec05e99efbe6aa
SHA256521729034f0ce5b2d3616d8efb8fc43202181cd8c6ff48b535b695dbcde75eb6
SHA512b0972d4ad7f1ca9b3ff08fef2bd4f39368877233c100aa17caf7d93c0d8baa3cc390b7f6d3150af5f4e2d2f6352bbba9b51862790f53934cab1755720293b7ce
-
Filesize
415KB
MD5dda23435a7b21721ba96ae7fb9812e20
SHA12e179d2f38f04879d249aac505ec05e99efbe6aa
SHA256521729034f0ce5b2d3616d8efb8fc43202181cd8c6ff48b535b695dbcde75eb6
SHA512b0972d4ad7f1ca9b3ff08fef2bd4f39368877233c100aa17caf7d93c0d8baa3cc390b7f6d3150af5f4e2d2f6352bbba9b51862790f53934cab1755720293b7ce
-
Filesize
1.2MB
MD5047af34af65efd5c6ee38eb7ad100a01
SHA161809e8f559b27e72a603a45a53116327845dbeb
SHA256931972b7531ee614ff9f9403fb0612ca4e3d668c5bfbedacb9fe18e4ac312f1d
SHA5127e0355636e5883fff7d42c78bc67973b5da4216a7b07fa94e089ff2aaa6f957356e0bc089d89dde71ba0151d3588c5713c9d15f205419cbb5abcd253beed9f4d
-
Filesize
1.2MB
MD5047af34af65efd5c6ee38eb7ad100a01
SHA161809e8f559b27e72a603a45a53116327845dbeb
SHA256931972b7531ee614ff9f9403fb0612ca4e3d668c5bfbedacb9fe18e4ac312f1d
SHA5127e0355636e5883fff7d42c78bc67973b5da4216a7b07fa94e089ff2aaa6f957356e0bc089d89dde71ba0151d3588c5713c9d15f205419cbb5abcd253beed9f4d
-
Filesize
48KB
MD5f12bdda1f8ea3816740ba7a81df1e92e
SHA17e8f561c66e76868d2145029f71fd6ed8bc3dd50
SHA256d93f9e11688e7317fabcf7ea26ed573619edece0ae6520e80624705ac1dbb273
SHA512f095f82295fda5622a0b682041d7934a1e943c652a9527d649764cbd0c0ae5d16f2a341aa95bf03383793cead97cea93c38276b6260acae431836088ff944abb
-
Filesize
48KB
MD5f12bdda1f8ea3816740ba7a81df1e92e
SHA17e8f561c66e76868d2145029f71fd6ed8bc3dd50
SHA256d93f9e11688e7317fabcf7ea26ed573619edece0ae6520e80624705ac1dbb273
SHA512f095f82295fda5622a0b682041d7934a1e943c652a9527d649764cbd0c0ae5d16f2a341aa95bf03383793cead97cea93c38276b6260acae431836088ff944abb
-
Filesize
1.2MB
MD5047af34af65efd5c6ee38eb7ad100a01
SHA161809e8f559b27e72a603a45a53116327845dbeb
SHA256931972b7531ee614ff9f9403fb0612ca4e3d668c5bfbedacb9fe18e4ac312f1d
SHA5127e0355636e5883fff7d42c78bc67973b5da4216a7b07fa94e089ff2aaa6f957356e0bc089d89dde71ba0151d3588c5713c9d15f205419cbb5abcd253beed9f4d
-
Filesize
1.2MB
MD5047af34af65efd5c6ee38eb7ad100a01
SHA161809e8f559b27e72a603a45a53116327845dbeb
SHA256931972b7531ee614ff9f9403fb0612ca4e3d668c5bfbedacb9fe18e4ac312f1d
SHA5127e0355636e5883fff7d42c78bc67973b5da4216a7b07fa94e089ff2aaa6f957356e0bc089d89dde71ba0151d3588c5713c9d15f205419cbb5abcd253beed9f4d
-
Filesize
35KB
MD569947fc31894cd78ea651768721e26fa
SHA18f1d431dc0e082e29b8e420df9063737c56d6600
SHA2562e16065cb223473d0891696e8bed97c240baad32d66c71a9c35b3f2faa1c02b7
SHA512d1ebb7427a16201f827c918798e9c90a278b936846459f01ad09f4f095989792260cfab243f3a3655db2784a4a979f9badfd57462d0e7aa233f8c7f83a5fd1f0
-
Filesize
1.2MB
MD58d44f882db1ce5ec780096bd698cadeb
SHA15eb4589f28d054befe40750a7c54de8a6f1bd0fa
SHA256103df9101017558d967a8d246739520b7024a930319c3352278c19298ec6084e
SHA512f97ccc467096023d704a4761c253ac73ed9bd3173cf1b7734b3cc6433e53f9e26393b30922c6836349a834ce8293c8b55c742a2be3f89cef42f5d2e8473347e7
-
Filesize
415KB
MD5dda23435a7b21721ba96ae7fb9812e20
SHA12e179d2f38f04879d249aac505ec05e99efbe6aa
SHA256521729034f0ce5b2d3616d8efb8fc43202181cd8c6ff48b535b695dbcde75eb6
SHA512b0972d4ad7f1ca9b3ff08fef2bd4f39368877233c100aa17caf7d93c0d8baa3cc390b7f6d3150af5f4e2d2f6352bbba9b51862790f53934cab1755720293b7ce
-
Filesize
415KB
MD5dda23435a7b21721ba96ae7fb9812e20
SHA12e179d2f38f04879d249aac505ec05e99efbe6aa
SHA256521729034f0ce5b2d3616d8efb8fc43202181cd8c6ff48b535b695dbcde75eb6
SHA512b0972d4ad7f1ca9b3ff08fef2bd4f39368877233c100aa17caf7d93c0d8baa3cc390b7f6d3150af5f4e2d2f6352bbba9b51862790f53934cab1755720293b7ce
-
Filesize
415KB
MD5dda23435a7b21721ba96ae7fb9812e20
SHA12e179d2f38f04879d249aac505ec05e99efbe6aa
SHA256521729034f0ce5b2d3616d8efb8fc43202181cd8c6ff48b535b695dbcde75eb6
SHA512b0972d4ad7f1ca9b3ff08fef2bd4f39368877233c100aa17caf7d93c0d8baa3cc390b7f6d3150af5f4e2d2f6352bbba9b51862790f53934cab1755720293b7ce
-
Filesize
415KB
MD5dda23435a7b21721ba96ae7fb9812e20
SHA12e179d2f38f04879d249aac505ec05e99efbe6aa
SHA256521729034f0ce5b2d3616d8efb8fc43202181cd8c6ff48b535b695dbcde75eb6
SHA512b0972d4ad7f1ca9b3ff08fef2bd4f39368877233c100aa17caf7d93c0d8baa3cc390b7f6d3150af5f4e2d2f6352bbba9b51862790f53934cab1755720293b7ce
-
Filesize
1.2MB
MD5047af34af65efd5c6ee38eb7ad100a01
SHA161809e8f559b27e72a603a45a53116327845dbeb
SHA256931972b7531ee614ff9f9403fb0612ca4e3d668c5bfbedacb9fe18e4ac312f1d
SHA5127e0355636e5883fff7d42c78bc67973b5da4216a7b07fa94e089ff2aaa6f957356e0bc089d89dde71ba0151d3588c5713c9d15f205419cbb5abcd253beed9f4d
-
Filesize
1.2MB
MD5047af34af65efd5c6ee38eb7ad100a01
SHA161809e8f559b27e72a603a45a53116327845dbeb
SHA256931972b7531ee614ff9f9403fb0612ca4e3d668c5bfbedacb9fe18e4ac312f1d
SHA5127e0355636e5883fff7d42c78bc67973b5da4216a7b07fa94e089ff2aaa6f957356e0bc089d89dde71ba0151d3588c5713c9d15f205419cbb5abcd253beed9f4d
-
Filesize
1.2MB
MD5047af34af65efd5c6ee38eb7ad100a01
SHA161809e8f559b27e72a603a45a53116327845dbeb
SHA256931972b7531ee614ff9f9403fb0612ca4e3d668c5bfbedacb9fe18e4ac312f1d
SHA5127e0355636e5883fff7d42c78bc67973b5da4216a7b07fa94e089ff2aaa6f957356e0bc089d89dde71ba0151d3588c5713c9d15f205419cbb5abcd253beed9f4d
-
Filesize
1.2MB
MD5047af34af65efd5c6ee38eb7ad100a01
SHA161809e8f559b27e72a603a45a53116327845dbeb
SHA256931972b7531ee614ff9f9403fb0612ca4e3d668c5bfbedacb9fe18e4ac312f1d
SHA5127e0355636e5883fff7d42c78bc67973b5da4216a7b07fa94e089ff2aaa6f957356e0bc089d89dde71ba0151d3588c5713c9d15f205419cbb5abcd253beed9f4d
-
Filesize
48KB
MD5f12bdda1f8ea3816740ba7a81df1e92e
SHA17e8f561c66e76868d2145029f71fd6ed8bc3dd50
SHA256d93f9e11688e7317fabcf7ea26ed573619edece0ae6520e80624705ac1dbb273
SHA512f095f82295fda5622a0b682041d7934a1e943c652a9527d649764cbd0c0ae5d16f2a341aa95bf03383793cead97cea93c38276b6260acae431836088ff944abb
-
Filesize
48KB
MD5f12bdda1f8ea3816740ba7a81df1e92e
SHA17e8f561c66e76868d2145029f71fd6ed8bc3dd50
SHA256d93f9e11688e7317fabcf7ea26ed573619edece0ae6520e80624705ac1dbb273
SHA512f095f82295fda5622a0b682041d7934a1e943c652a9527d649764cbd0c0ae5d16f2a341aa95bf03383793cead97cea93c38276b6260acae431836088ff944abb
-
Filesize
48KB
MD5f12bdda1f8ea3816740ba7a81df1e92e
SHA17e8f561c66e76868d2145029f71fd6ed8bc3dd50
SHA256d93f9e11688e7317fabcf7ea26ed573619edece0ae6520e80624705ac1dbb273
SHA512f095f82295fda5622a0b682041d7934a1e943c652a9527d649764cbd0c0ae5d16f2a341aa95bf03383793cead97cea93c38276b6260acae431836088ff944abb