Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2022, 12:47
Static task
static1
General
-
Target
423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe
-
Size
311KB
-
MD5
a034cbb1ffdcc27f1eb9d3e90d03a638
-
SHA1
88d16b6e1b93389a89a2b86a6d57c512b57b678d
-
SHA256
423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02
-
SHA512
cae1ba18bd3483c34a2d13731c8e9fdd7cec0d0121b62f842b8eb6fda97f5032af0970f149da953a01ea7bebdd828ffc003a5abc45936c56d4c08b3a109d2376
-
SSDEEP
6144:40AALtEZ8Ubf52YC96UOQ8IXa1atOgkfH4rWlRjO1n:407hEZ8UbtC4UE1wOgjrW9u
Malware Config
Signatures
-
Detects Smokeloader packer 2 IoCs
resource yara_rule behavioral1/memory/1128-133-0x0000000002190000-0x0000000002199000-memory.dmp family_smokeloader behavioral1/memory/1128-136-0x0000000002190000-0x0000000002199000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 92 2592 rundll32.exe 95 2592 rundll32.exe 112 2592 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1748 EBBC.exe 4876 sawhret -
Loads dropped DLL 1 IoCs
pid Process 2592 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2592 set thread context of 3060 2592 rundll32.exe 92 -
Drops file in Program Files directory 38 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PDDom.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ACE.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adobepdf.xdc rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\libEGL.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Accessibility.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\forms_super.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_sent.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\MCIMPP.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\editpdf.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AppCenter_R.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\create_form.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reader_sl.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 628 1748 WerFault.exe 87 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sawhret Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sawhret Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sawhret -
Checks processor information in registry 2 TTPs 27 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found -
Modifies registry class 30 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093550a6e100054656d7000003a0009000400efbe0c55199993550f6e2e000000000000000000000000000000000000000000000000009e1dc900540065006d007000000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1040 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1128 423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe 1128 423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1040 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1128 423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe 4876 sawhret -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3060 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1040 Process not Found 1040 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1040 wrote to memory of 1748 1040 Process not Found 87 PID 1040 wrote to memory of 1748 1040 Process not Found 87 PID 1040 wrote to memory of 1748 1040 Process not Found 87 PID 1748 wrote to memory of 2592 1748 EBBC.exe 88 PID 1748 wrote to memory of 2592 1748 EBBC.exe 88 PID 1748 wrote to memory of 2592 1748 EBBC.exe 88 PID 2592 wrote to memory of 3060 2592 rundll32.exe 92 PID 2592 wrote to memory of 3060 2592 rundll32.exe 92 PID 2592 wrote to memory of 3060 2592 rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe"C:\Users\Admin\AppData\Local\Temp\423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1128
-
C:\Users\Admin\AppData\Local\Temp\EBBC.exeC:\Users\Admin\AppData\Local\Temp\EBBC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239933⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3060
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 5282⤵
- Program crash
PID:628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1748 -ip 17481⤵PID:4092
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2832
-
C:\Users\Admin\AppData\Roaming\sawhretC:\Users\Admin\AppData\Roaming\sawhret1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4876
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵PID:4632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
726KB
MD5ff41a290eb4ad4cac2c97294dfb9c2f7
SHA121cf8d73645332a9a4549a2c1b31ec77bfc871e6
SHA2569ca56ec6aae9c91db6373d756a76da1d64150c246e30976b896ee8cd9c3eb823
SHA512270356c5db26cfa4ec88e5b6f5c36a46846add44144ae106b3158eddeaf77a8d7c05926ee1b63ce6850da3c63f423afd11107fb81f76f91c869579b3aec2a42e
-
Filesize
576KB
MD503a81356c9b38d2a3e389e3885ff6c5b
SHA16d87a938979849332856362bee24087a08fbf73d
SHA25608040b5a7c6b4a4ec016375528ad9c0b1a6172aae655070646ee3466be1dd055
SHA5121c2d235f04fa161ce3215c18083851448025015c4e74b23165f40723ce319d83b585aeb18992acd324f45b4b3071762573847ec4ef7c7831317fc6b9efeabe47
-
Filesize
1.1MB
MD58a4cb873c04ffe6859dd5bb381fed9b2
SHA1c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
Filesize
1.1MB
MD58a4cb873c04ffe6859dd5bb381fed9b2
SHA1c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
311KB
MD5a034cbb1ffdcc27f1eb9d3e90d03a638
SHA188d16b6e1b93389a89a2b86a6d57c512b57b678d
SHA256423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02
SHA512cae1ba18bd3483c34a2d13731c8e9fdd7cec0d0121b62f842b8eb6fda97f5032af0970f149da953a01ea7bebdd828ffc003a5abc45936c56d4c08b3a109d2376
-
Filesize
311KB
MD5a034cbb1ffdcc27f1eb9d3e90d03a638
SHA188d16b6e1b93389a89a2b86a6d57c512b57b678d
SHA256423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02
SHA512cae1ba18bd3483c34a2d13731c8e9fdd7cec0d0121b62f842b8eb6fda97f5032af0970f149da953a01ea7bebdd828ffc003a5abc45936c56d4c08b3a109d2376
-
Filesize
726KB
MD5ff41a290eb4ad4cac2c97294dfb9c2f7
SHA121cf8d73645332a9a4549a2c1b31ec77bfc871e6
SHA2569ca56ec6aae9c91db6373d756a76da1d64150c246e30976b896ee8cd9c3eb823
SHA512270356c5db26cfa4ec88e5b6f5c36a46846add44144ae106b3158eddeaf77a8d7c05926ee1b63ce6850da3c63f423afd11107fb81f76f91c869579b3aec2a42e