Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2022, 09:26
Static task
static1
Behavioral task
behavioral1
Sample
8b0f52e9c1e77d9a28a42c37b9e0f85e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8b0f52e9c1e77d9a28a42c37b9e0f85e.exe
Resource
win10v2004-20221111-en
General
-
Target
8b0f52e9c1e77d9a28a42c37b9e0f85e.exe
-
Size
215KB
-
MD5
8b0f52e9c1e77d9a28a42c37b9e0f85e
-
SHA1
2366e4199e5337a4372d70ad61e9b0b5b4ebcbd3
-
SHA256
5358987e29bbc904b8a14e89db649725e8fd97c2b2b369a30a3a3843357c76bf
-
SHA512
d683fb13efc93431a81ea9f98a37d95471df12bc10f5c7db66f9a309613a16e7c6c062bea473363c8e4fc3f67bd0508e51077be326926f265d9cb5c800b331c3
-
SSDEEP
3072:MhlgLV5saR9MAmVtSBS40za9JIOJXKaNRAtOba+OljcbImdzmuX:M3gLV5KAmVt5gnJX90/ljcbXF
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/1800-133-0x00000000004D0000-0x00000000004D9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 33 4528 rundll32.exe 37 4528 rundll32.exe 59 4528 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3096 E767.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\aic_file_icons.dllÔ€" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\aic_file_icons.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 4528 rundll32.exe 3972 svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4528 set thread context of 2520 4528 rundll32.exe 93 -
Drops file in Program Files directory 45 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\StandardBusiness.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_hiContrast_bow.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Checkers.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\MoreTools.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Acrofx32.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_hiContrast_wob.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_shared.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\warning.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AXSLE.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Close.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\WindowsMedia.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.css rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3832 3096 WerFault.exe 82 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093555853100054656d7000003a0009000400efbe6b557d6c93555d532e000000000000000000000000000000000000000000000000001cc9be00540065006d007000000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2096 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1800 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe 1800 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found 2096 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2096 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1800 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found Token: SeShutdownPrivilege 2096 Process not Found Token: SeCreatePagefilePrivilege 2096 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2520 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2096 Process not Found 2096 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2096 wrote to memory of 3096 2096 Process not Found 82 PID 2096 wrote to memory of 3096 2096 Process not Found 82 PID 2096 wrote to memory of 3096 2096 Process not Found 82 PID 3096 wrote to memory of 4528 3096 E767.exe 84 PID 3096 wrote to memory of 4528 3096 E767.exe 84 PID 3096 wrote to memory of 4528 3096 E767.exe 84 PID 4528 wrote to memory of 2520 4528 rundll32.exe 93 PID 4528 wrote to memory of 2520 4528 rundll32.exe 93 PID 4528 wrote to memory of 2520 4528 rundll32.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b0f52e9c1e77d9a28a42c37b9e0f85e.exe"C:\Users\Admin\AppData\Local\Temp\8b0f52e9c1e77d9a28a42c37b9e0f85e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1800
-
C:\Users\Admin\AppData\Local\Temp\E767.exeC:\Users\Admin\AppData\Local\Temp\E767.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239493⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2520
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 5282⤵
- Program crash
PID:3832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3096 -ip 30961⤵PID:2180
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1908
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
PID:3972 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons.dll",RzUSQTE22⤵PID:4856
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
726KB
MD56014e6dfed68030eda7da4d3574f91ec
SHA188792bb19cf3c0885ffd24ac4f5707d505910c1a
SHA2561c6c7ab3da054f0a76ecea29c7e61ab38d81b2d8855f97a1853629436a8ac2c7
SHA512b6c6dd6534a17699d120dbfe698caa0920771463e55ee11e5b15ba983045a0d271e247e3ce626caa67a2cb813259d2562eeaaecc3c0db45956eefe523271ab62
-
Filesize
726KB
MD56014e6dfed68030eda7da4d3574f91ec
SHA188792bb19cf3c0885ffd24ac4f5707d505910c1a
SHA2561c6c7ab3da054f0a76ecea29c7e61ab38d81b2d8855f97a1853629436a8ac2c7
SHA512b6c6dd6534a17699d120dbfe698caa0920771463e55ee11e5b15ba983045a0d271e247e3ce626caa67a2cb813259d2562eeaaecc3c0db45956eefe523271ab62
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.AsyncTextService_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml
Filesize2KB
MD52240070d6603ab019cd125005cf38b7b
SHA1ca96d028f51a7d5ec16630b48935f26c72794b0a
SHA2567b3b1b641ebbda5397a11af86cb347b0f644ab439341c62b1c81d6990e6f75bc
SHA51295c6f48f717d9103d30c31e00b7ff3a0d235693a8fffed772c0a0c39107bf3003ac84d6c78e2af566d91a88fa523dcc2c523dcc707d19fc77799832d548f330c
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize843B
MD58a33c96712ba9c043f7a07d4c437a3fd
SHA1dbd78a66c461017ee26a751925f9cecdea2590da
SHA256eb8b0de59dd2efc380f7081af8975f37a83ee72c9c06ef25873f63d224adea1e
SHA5127b9a15d219e4a5cd9146f8e7ae1d7c3b6f843ed060edf52e4928e349edd821a2d527f8f8402f774559f6cf282c83b751f02d2feaf9e040771c07bc4038a59e5a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xml
Filesize27KB
MD5539930de67b99bab23fe2c67000eeddb
SHA16b0e5ece46ecb0b019ec71caa44facf122647059
SHA2562f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c
SHA512ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce
-
Filesize
957B
MD506f405331f1f99bd455f4afa7b8ee0cc
SHA1815d8d81c01208aef4bc1a0048b2d4f4171b26f6
SHA256b752d2c5a3c66c338fd6cd92224d5995be0eac8fd47092b8cd6ea2cc28a5e790
SHA512a2a771f97346a5db7ee8e948cba2c9e223848e1c395eb335a6e3609739c125e0414e7a254f5ac81ca4a28b04cf4e631ee69edaaf24ef534b96c01c30f96c3a2c
-
Filesize
71KB
MD5490d1e0a28234dcd02db60d5a87f0691
SHA16edc0f7aa19150b49df1b96b5c6bbee036c0ef7a
SHA25606ce8cb39081cd09df95911494f46ae85b27e37e4f83aa9c80b887bf69e87e22
SHA5120ea4a0b0030371c031de694df115a284fa2d3a7697071072e2a7d83afbb60201313787e4d537a6111ba716e78d9dcfcac523633e2667bc00bbe1b125fb6641eb
-
Filesize
12KB
MD5d24bea7d3b999f28e375d1d061a03d97
SHA195b207708762aa4752c77728128cbe3033646204
SHA25657184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2
SHA5123d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e
-
Filesize
10KB
MD501c9f9a623fc35be445dde3e94c2dfaa
SHA1a018155617cf96d2337b151513e05f6531f7aba4
SHA256b9fad09698d5891e5f3d9e707895540f47cb0f480c21732a41fdb6ef2cc0f84d
SHA51274303d4e827e974e59d7f4f6fc82f3092ff3d64616c3d17392987b23163761218d9516623349c87d728499011bc9867e7bd121f973f01d2cf70626c1eae8149a
-
Filesize
2KB
MD5a96d6b6a930974c1144c83310d0ed0c9
SHA19d2152987585aafcc5af45ea15ccf0ba8f781b39
SHA256f0da16198da1b68ab87d913b5def804cd36f4da16df22a7cba52f4f12fe7475d
SHA51257b622ced6ae1432086130e9a8604ba8d572eb0d6ee6033d5d0cee4740648fc23208ad93b66031cd76661026be794093f4a4e199568f11cbee631529229f9596
-
Filesize
2.3MB
MD549fc0b0c5939cf071399aa6f2cb5491b
SHA1ddd0d4089167d47bf1a7754a02d216d9dfa26b1d
SHA2565de32ae784595e58cb4ab71cb6301b1e65cd56a19ef9ef0607eb3d8c879e351c
SHA512a09b6e3ba6609e4571d2645cc5de551bbede188b6fa0811ace64f725c074307424acd1bf1d4988fcd6a2b2bee8e031a0f29fde3983927bd91948be3afacd3161
-
Filesize
2.3MB
MD585ab8b1becb45709ea092c81d9cbfb6d
SHA1544b12a0310f6303f56a2c5739cf56a532149550
SHA256fd4e2d7b18a353724bfa0b870dea42cc8fcb13f73d667374216e9ae8737d77ef
SHA51281d97bf12176d069a354b2445d61348a0df6e1df7f04e4a293a82c81ccd113731d7acbeb06669d7627fd688c8e57f0f5faa426c8682c940ce6f3219bbcf850cc
-
Filesize
52KB
MD5bbf9dbdc079c0cd95f78d728aa3912d4
SHA1051f76cc8c6520768bac9559bb329abeebd70d7c
SHA256bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2
SHA512af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d
-
Filesize
453KB
MD596f7cb9f7481a279bd4bc0681a3b993e
SHA1deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149
-
Filesize
10KB
MD5c949974e2fc5c8909c2efafb92f7640d
SHA1ec68489a4a4fa022e5b60901f7221d733365a9c9
SHA2561131721b6f906cedebbcefe223725ae0f5c7ad0a96219eabaa49dc8d38cedf40
SHA5128fc8e3cdcb66ec98962d0f888f0abe90e1a18db09144e00494dda9f56eaf7ed623e0ee13efd8a29fbf72c7094bbc9f489baf2d54e8170bb4b04d5363ec354362
-
Filesize
57B
MD5b658c06c14ff523bce634e14236c9441
SHA1aa15105fc5cbee478303c5a1d8814a88197573be
SHA25629633ff726d1c72f895545fd97d546035e7045a046b3d2888ff0950e67b8eb82
SHA5123326a97db218aa09814e80317c1150f8a6808e8b6aab07af27c8126688b30964cc85936940d310c1d4d6190c49eaa01ee51d598775ec8c156676bbfd53f8f4cc
-
Filesize
525B
MD53bde564b05fe619b8082900b5c83b536
SHA1656b402ff5e478471b1053e50ed8e5bfcc011a11
SHA2561fa751b71307c22ceb94e3af09688c0e123b26ae8c16e1c521510f309bca4308
SHA51200303409ca69ee71e6e2702d8f06a8ee5418d01e2e0f726394042b0af4b6a5b35f66d5a70664f031feb7e28d13c124b5d08e4b3998b443a2cba3574c4996ca0b
-
Filesize
5KB
MD5d7ee4543371744836d520e0ce24a9ee6
SHA1a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA25698817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808
-
Filesize
1.1MB
MD5d4fe627b0bc66a57bfdb76c531c06ce6
SHA11a9ff0a579460a2e90266ebbfbad127514a74e7a
SHA2569292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97
SHA512bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617
-
Filesize
1.1MB
MD5d4fe627b0bc66a57bfdb76c531c06ce6
SHA11a9ff0a579460a2e90266ebbfbad127514a74e7a
SHA2569292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97
SHA512bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD56014e6dfed68030eda7da4d3574f91ec
SHA188792bb19cf3c0885ffd24ac4f5707d505910c1a
SHA2561c6c7ab3da054f0a76ecea29c7e61ab38d81b2d8855f97a1853629436a8ac2c7
SHA512b6c6dd6534a17699d120dbfe698caa0920771463e55ee11e5b15ba983045a0d271e247e3ce626caa67a2cb813259d2562eeaaecc3c0db45956eefe523271ab62