Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 06:56
Static task
static1
Behavioral task
behavioral1
Sample
ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe
Resource
win10v2004-20221111-en
General
-
Target
ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe
-
Size
306KB
-
MD5
8ba89cb6de7e41ec69404990443a97ba
-
SHA1
af55bcc1d185f3e820d2a5a7eeb10170cf10011c
-
SHA256
ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051
-
SHA512
a9eeef96356bcdaa5a5ed8db9d4196bbe854f5ed11a7dc1c8e55fa5ee9ac3b50625f9b0851ebc6e29ddac8b23d019c47b55d4d48be0001664cc2b1cfd328c11a
-
SSDEEP
6144:feRrbPL/QsQk7H4p0HakV/S0iPvzpQ6rFiaI:fALQspo0z6xnzpQ6rF
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4596-133-0x00000000006F0000-0x00000000006F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 30 3108 rundll32.exe 53 3108 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
BEC1.exepid process 3388 BEC1.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\natives_blob\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\natives_blob.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\natives_blob\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3108 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3108 set thread context of 3500 3108 rundll32.exe rundll32.exe -
Drops file in Program Files directory 36 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\server_lg.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adobepdf.xdc rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-focus.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int_2x.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\server_issue.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef.css rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\tesselate.x3d rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Scan_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_shared.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\UnifiedShare.aapp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1100 3388 WerFault.exe BEC1.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies registry class 30 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355193f100054656d7000003a0009000400efbe6b558a6c9355203f2e0000000000000000000000000000000000000000000000000076177100540065006d007000000014000000 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 1936 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exepid process 4596 ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe 4596 ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 1936 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1936 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exepid process 4596 ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1936 Token: SeCreatePagefilePrivilege 1936 Token: SeShutdownPrivilege 1936 Token: SeCreatePagefilePrivilege 1936 Token: SeShutdownPrivilege 1936 Token: SeCreatePagefilePrivilege 1936 Token: SeShutdownPrivilege 1936 Token: SeCreatePagefilePrivilege 1936 Token: SeShutdownPrivilege 1936 Token: SeCreatePagefilePrivilege 1936 Token: SeShutdownPrivilege 1936 Token: SeCreatePagefilePrivilege 1936 Token: SeShutdownPrivilege 1936 Token: SeCreatePagefilePrivilege 1936 Token: SeShutdownPrivilege 1936 Token: SeCreatePagefilePrivilege 1936 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 3500 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 1936 1936 -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
BEC1.exerundll32.exedescription pid process target process PID 1936 wrote to memory of 3388 1936 BEC1.exe PID 1936 wrote to memory of 3388 1936 BEC1.exe PID 1936 wrote to memory of 3388 1936 BEC1.exe PID 3388 wrote to memory of 3108 3388 BEC1.exe rundll32.exe PID 3388 wrote to memory of 3108 3388 BEC1.exe rundll32.exe PID 3388 wrote to memory of 3108 3388 BEC1.exe rundll32.exe PID 3108 wrote to memory of 3500 3108 rundll32.exe rundll32.exe PID 3108 wrote to memory of 3500 3108 rundll32.exe rundll32.exe PID 3108 wrote to memory of 3500 3108 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe"C:\Users\Admin\AppData\Local\Temp\ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4596
-
C:\Users\Admin\AppData\Local\Temp\BEC1.exeC:\Users\Admin\AppData\Local\Temp\BEC1.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239733⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3500 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 5362⤵
- Program crash
PID:1100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3388 -ip 33881⤵PID:3464
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4084
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵PID:1764
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\natives_blob.dll",YUgZVw==2⤵PID:4492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dllFilesize
726KB
MD556d0c01294b5673f59f1f1e52c5dc6c4
SHA1c4a9a75b34271ad0083361ee6ee24c5690b02b5f
SHA256a44e564482d24568244e41e4486fd07e5edcfa17e583db78f7ed2956f9db8a2b
SHA5129315157f73349ba239e9432e9fb888e86886aae992cbdffa5b1320f58069af04b602193506b36710516d3886a1c2f71851ca57f3d6b1f49c4a71cea784832117
-
C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dllFilesize
726KB
MD556d0c01294b5673f59f1f1e52c5dc6c4
SHA1c4a9a75b34271ad0083361ee6ee24c5690b02b5f
SHA256a44e564482d24568244e41e4486fd07e5edcfa17e583db78f7ed2956f9db8a2b
SHA5129315157f73349ba239e9432e9fb888e86886aae992cbdffa5b1320f58069af04b602193506b36710516d3886a1c2f71851ca57f3d6b1f49c4a71cea784832117
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\EaseOfAccessSettings2013.xmlFilesize
5KB
MD57ac38dcc72989ac01bd1a67d484af471
SHA1458224b5c1c1696d8255a355a6100a4652fd7bd7
SHA256923335d4d6399bd1bc2d44d264183cba0e2a2c3ecb1d18472003e787275d7e46
SHA512ae5f247648411df8657a2806e5a9ff8e48bf79cf19d2b4101ef67fa78d7b55e37248190ed1d60f58255fe5ceff38017764b0a0d73108150dd4666dde75c0ce14
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5b290178a94a0bd93830d5714c11f9681
SHA19dd5d3337117568b6423a32dff9baf14fb11e73c
SHA2565876d6a887dd7db15a3bea28e71c0aa044023eafb1eed8ca9356035f5943249c
SHA512ef5af5bc01510ea6e865e11a94bcf67966a01930fcdd9ab10bcb854a06976f59c909bd10e9ff3ef0aea53bad9a4af510401c05ada4c017e45ff512a127dea9fb
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
827B
MD5ded8a0ae2ade3e3cab8bfbfea00b969f
SHA173752c78795a78ef3b742ad41737959e6f51ee42
SHA256ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85
SHA5123c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftLync2010.xmlFilesize
3KB
MD5701beb4f8c252fb3c9f5dbdc94648048
SHA1556ba20475a502b68b7992454be6c64ab355b4ec
SHA256620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67
SHA51228c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2010Win64.xmlFilesize
71KB
MD5490d1e0a28234dcd02db60d5a87f0691
SHA16edc0f7aa19150b49df1b96b5c6bbee036c0ef7a
SHA25606ce8cb39081cd09df95911494f46ae85b27e37e4f83aa9c80b887bf69e87e22
SHA5120ea4a0b0030371c031de694df115a284fa2d3a7697071072e2a7d83afbb60201313787e4d537a6111ba716e78d9dcfcac523633e2667bc00bbe1b125fb6641eb
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5aaa5b959aac4a6484baee0110db764b9
SHA12f5152a36f74fc650357a68677d300dbeb34841c
SHA256d61b9aa03b756e66b6dfde765a8f1364281860c65367d4a8ae70f73db746fc6e
SHA512371227cc9a92b776b0ac20ecdc36d585740c7eb72d85644c7cef3bad9595eed5ad31f8f4bc362562366b5acefad0ea33cc751a3ab98a2245b1b21462c7f240ff
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5aaa5b959aac4a6484baee0110db764b9
SHA12f5152a36f74fc650357a68677d300dbeb34841c
SHA256d61b9aa03b756e66b6dfde765a8f1364281860c65367d4a8ae70f73db746fc6e
SHA512371227cc9a92b776b0ac20ecdc36d585740c7eb72d85644c7cef3bad9595eed5ad31f8f4bc362562366b5acefad0ea33cc751a3ab98a2245b1b21462c7f240ff
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SmsInterceptStore.jfmFilesize
16KB
MD58ad8eabf315217362a2392acce762345
SHA11a2dafdf90dd56fd53dc623b7cfa00f13f1d24e8
SHA2569d6bac58cea0733dd170ce5aa77c11217f00bb395cf569f8a5f645ac2919445a
SHA5126da2b3309f948e2244840ccc7301eafaf7e0db2426f8b6cc01027d821d89f6fc724fc1043ddfa645ea23991c64ea5a82d356baaddb43dd76a77be89955f01e77
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\netfol.icoFilesize
28KB
MD53fa8c6dc1f72c3f9f8670a3e236459f2
SHA1fcca30e9c5f861ac907150c76ca5f2174d214b7b
SHA256dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7
SHA512af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\print_property.icoFilesize
58KB
MD530d7062e069bc0a9b34f4034090c1aae
SHA1e5fcedd8e4cc0463c0bc6912b1791f2876e28a61
SHA25624e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000
SHA51285dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xmlFilesize
1KB
MD50e190f6bbc7898c31d4eae77c6abebfe
SHA1fb6673c8116b650f0536d56be09eb188d7bdc930
SHA256f7f461d92f4a45d1232e7e5ad76cffbbb7b83abd69df864387c757051494d118
SHA512faaf0699ddb7e4e152afaf54bed0794c9e816cb762454c277f5d52acf88a44535cc3a44797c73393fc50db8afe2566bcaf9a4f93d945c6b0b3d8458d16ae5312
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\settings.icoFilesize
66KB
MD54896c2ad8ca851419425b06ec0fd95f2
SHA17d52e9355998f1b4487f8ef2b1b3785dec35d981
SHA2561160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3
SHA512271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2
-
C:\Users\Admin\AppData\Local\Temp\BEC1.exeFilesize
1.1MB
MD552939ddac663150e902b58fdbb2d7b75
SHA1a311ef6a1728ec247963a8b276da6f94d0d0a50c
SHA25673c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a
SHA5126f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789
-
C:\Users\Admin\AppData\Local\Temp\BEC1.exeFilesize
1.1MB
MD552939ddac663150e902b58fdbb2d7b75
SHA1a311ef6a1728ec247963a8b276da6f94d0d0a50c
SHA25673c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a
SHA5126f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\natives_blob.dllFilesize
726KB
MD556d0c01294b5673f59f1f1e52c5dc6c4
SHA1c4a9a75b34271ad0083361ee6ee24c5690b02b5f
SHA256a44e564482d24568244e41e4486fd07e5edcfa17e583db78f7ed2956f9db8a2b
SHA5129315157f73349ba239e9432e9fb888e86886aae992cbdffa5b1320f58069af04b602193506b36710516d3886a1c2f71851ca57f3d6b1f49c4a71cea784832117
-
memory/1220-181-0x0000000000000000-mapping.dmp
-
memory/1764-178-0x0000000003AF0000-0x0000000004215000-memory.dmpFilesize
7.1MB
-
memory/1764-164-0x0000000003AF0000-0x0000000004215000-memory.dmpFilesize
7.1MB
-
memory/3108-160-0x0000000005BA0000-0x00000000062C5000-memory.dmpFilesize
7.1MB
-
memory/3108-153-0x0000000004D10000-0x0000000004E50000-memory.dmpFilesize
1.2MB
-
memory/3108-142-0x0000000000000000-mapping.dmp
-
memory/3108-157-0x0000000004D89000-0x0000000004D8B000-memory.dmpFilesize
8KB
-
memory/3108-150-0x0000000004D10000-0x0000000004E50000-memory.dmpFilesize
1.2MB
-
memory/3108-146-0x0000000005BA0000-0x00000000062C5000-memory.dmpFilesize
7.1MB
-
memory/3108-147-0x0000000005BA0000-0x00000000062C5000-memory.dmpFilesize
7.1MB
-
memory/3108-152-0x0000000004D10000-0x0000000004E50000-memory.dmpFilesize
1.2MB
-
memory/3108-149-0x0000000004D10000-0x0000000004E50000-memory.dmpFilesize
1.2MB
-
memory/3108-148-0x0000000004D10000-0x0000000004E50000-memory.dmpFilesize
1.2MB
-
memory/3108-151-0x0000000004D10000-0x0000000004E50000-memory.dmpFilesize
1.2MB
-
memory/3388-141-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3388-139-0x000000000212F000-0x0000000002205000-memory.dmpFilesize
856KB
-
memory/3388-145-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3388-140-0x0000000002310000-0x0000000002425000-memory.dmpFilesize
1.1MB
-
memory/3388-136-0x0000000000000000-mapping.dmp
-
memory/3500-158-0x0000000000AA0000-0x0000000000CB9000-memory.dmpFilesize
2.1MB
-
memory/3500-159-0x000002AEC6EA0000-0x000002AEC70CA000-memory.dmpFilesize
2.2MB
-
memory/3500-156-0x000002AEC6D40000-0x000002AEC6E80000-memory.dmpFilesize
1.2MB
-
memory/3500-155-0x000002AEC6D40000-0x000002AEC6E80000-memory.dmpFilesize
1.2MB
-
memory/3500-154-0x00007FF68EAF6890-mapping.dmp
-
memory/4492-176-0x0000000000000000-mapping.dmp
-
memory/4492-179-0x0000000004040000-0x0000000004765000-memory.dmpFilesize
7.1MB
-
memory/4492-180-0x0000000004040000-0x0000000004765000-memory.dmpFilesize
7.1MB
-
memory/4596-132-0x0000000000798000-0x00000000007AE000-memory.dmpFilesize
88KB
-
memory/4596-135-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4596-134-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4596-133-0x00000000006F0000-0x00000000006F9000-memory.dmpFilesize
36KB