Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 13:34
Static task
static1
Behavioral task
behavioral1
Sample
a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe
Resource
win10v2004-20221111-en
General
-
Target
a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe
-
Size
311KB
-
MD5
382f445fa18126435bbd631d6720bf88
-
SHA1
4d714a4c71e87dddaea89f8ada74f9feb2e83a6d
-
SHA256
a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc
-
SHA512
abf5c104c74aa27f3dab57971820d97a9c25f765e20e273433dafaa1b4a447cd4f781b1f47a6af8c0350c29cf05fe918b807b2d410ae3b500fe2d2876169f978
-
SSDEEP
6144:k9R3L2Hj5hkGIFcPlS9LP/M1FxPH4rWlRjO1n:kL8j5hkGIF0s9LXmxArW9u
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2240-133-0x00000000006B0000-0x00000000006B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 38 3144 rundll32.exe 55 3144 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
BCFC.exepid process 3140 BCFC.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ViewerPS\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\ViewerPS.dllå°€" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ViewerPS\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3144 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3144 set thread context of 4760 3144 rundll32.exe rundll32.exe -
Drops file in Program Files directory 32 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\plugins.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\server_issue.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-focus.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\index.html rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\server_ok.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Full.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ViewerPS.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\WCChromeNativeMessagingHost.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-ui-theme.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4960 3140 WerFault.exe BCFC.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe -
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe -
Processes:
description ioc process Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser -
Modifies registry class 30 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093555c74100054656d7000003a0009000400efbe6b55586c935563742e00000000000000000000000000000000000000000000000000a038ca00540065006d007000000014000000 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 2680 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exepid process 2240 a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe 2240 a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2680 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exepid process 2240 a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 4760 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 2680 2680 -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
BCFC.exerundll32.exedescription pid process target process PID 2680 wrote to memory of 3140 2680 BCFC.exe PID 2680 wrote to memory of 3140 2680 BCFC.exe PID 2680 wrote to memory of 3140 2680 BCFC.exe PID 3140 wrote to memory of 3144 3140 BCFC.exe rundll32.exe PID 3140 wrote to memory of 3144 3140 BCFC.exe rundll32.exe PID 3140 wrote to memory of 3144 3140 BCFC.exe rundll32.exe PID 3144 wrote to memory of 4760 3144 rundll32.exe rundll32.exe PID 3144 wrote to memory of 4760 3144 rundll32.exe rundll32.exe PID 3144 wrote to memory of 4760 3144 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe"C:\Users\Admin\AppData\Local\Temp\a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2240
-
C:\Users\Admin\AppData\Local\Temp\BCFC.exeC:\Users\Admin\AppData\Local\Temp\BCFC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239793⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4760 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4028
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 5362⤵
- Program crash
PID:4960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 31401⤵PID:3672
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3864
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵PID:2104
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\viewerps.dll",nkpUQXhx2⤵PID:1696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\ViewerPS.dllFilesize
726KB
MD5ddaccee169da4acce9f7377688f27fde
SHA199ac72ff0d7ec2447d4e1879150d0f071aa8fed6
SHA256f688959f9119dee5943f8c7c0f97b794512aa14d7662886353e35c94a410f6cb
SHA512b61294e9146efbf7732f3def9d5608dbdfac1fe68325a2029b32b4d878317429a2552d7dd76db012fcfb03dc1642116f40bcb16d815215d8a4569e58f247922b
-
C:\Program Files (x86)\WindowsPowerShell\Modules\ViewerPS.dllFilesize
726KB
MD5ddaccee169da4acce9f7377688f27fde
SHA199ac72ff0d7ec2447d4e1879150d0f071aa8fed6
SHA256f688959f9119dee5943f8c7c0f97b794512aa14d7662886353e35c94a410f6cb
SHA512b61294e9146efbf7732f3def9d5608dbdfac1fe68325a2029b32b4d878317429a2552d7dd76db012fcfb03dc1642116f40bcb16d815215d8a4569e58f247922b
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.office32ww.msi.16.x-none.xmlFilesize
331KB
MD5b5cf5d15a8e6c6f2eb99a5645a2c2336
SHA17efe1b634ce1253a6761eb0c54f79dd42b79325f
SHA256f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c
SHA51283f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xmlFilesize
13KB
MD5c7405e2e68aec89e44862595ccc0d186
SHA12cc8d73f93dd875134917795633bb606911f1069
SHA2569a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37
SHA5120cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5cc4cc0e085cfafe9c540f7a6a4cad93e
SHA18982a1b3d8f3d8bc37b1c12f9a7f594723d03247
SHA256fa0819943729b9c38d89e92fcbc31ba393b49baa524bfa4ee9f2f471f8fcf756
SHA512b8f591ee4b5b241025a0d583efed50fb548a180599bc4dab2f7b978da4daf08ca917e539354e2510aaca35257854034de3e3f3a8242eaa71f5ec9c4b3dc289d5
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
839B
MD55ddffd275e173019cb301fe2c96a2f3f
SHA10303cebf14f4304d93733426aee485e4bf7efe29
SHA256d1e768a7bb7a5851697a2a5bec63670c9d90b72d1f77169ef231c265b9cb8272
SHA512e92f31f56dc2f5dfa0963978239303d2c5755b5bfa363910f18e5168703d3ddfc506ad522915b90f9d489997a66a3db780762e750a658ac7835b75d8d299684a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5fb6ca0eabc5ef74a0e826d9dd225e346
SHA1564281df79abcb55a5a4481f5be0bd9d09213272
SHA256e2aebf5b22d995721f6f8aca57fcd004318bb710b2cf4a46bd675a622e14fc63
SHA512830f404f28408e63f8a7d0edae85596baa278f05f179373a67f0fcc1f2ca394154dd56b8401cf3f1e087f273d2f897f214d9cc54a2bf3eeb6db8c0ded0aebd60
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5fb6ca0eabc5ef74a0e826d9dd225e346
SHA1564281df79abcb55a5a4481f5be0bd9d09213272
SHA256e2aebf5b22d995721f6f8aca57fcd004318bb710b2cf4a46bd675a622e14fc63
SHA512830f404f28408e63f8a7d0edae85596baa278f05f179373a67f0fcc1f2ca394154dd56b8401cf3f1e087f273d2f897f214d9cc54a2bf3eeb6db8c0ded0aebd60
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\TELEMETRY.ASM-WINDOWSSQ.jsonFilesize
53B
MD56b5c875287b25d64563bd7c830621b66
SHA1df0c4dcbbf3ce6706cae126955b4fcb88be0694a
SHA2569d45f7e6114d2088ab05423697cafedc0a9926f785358cb2faddc4f1e45b193d
SHA512608b92078a9082b4bfe2b066891127713cfd4329d8b26a3747b672c19e41e25242f60153517227a04a3f2b355805584cd4fe2f2dece45b1cd5dfc814a486d229
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ThemeSettings2013.xmlFilesize
2KB
MD5986d31966b8370330842dc0cd8eac1f1
SHA13e96a8f449cc3930a0cec85f2e24190452b058eb
SHA25656e478dcefd0863a8af9edb7d4f8bc746d077e5f5df637bad19e66cbbbe20cb0
SHA5127ed19b3eeeb35882795a3d4a20193b9a60e905ea855704afdc5ea7e3b27c3d954061ba04eff5ed9f7cf44aff7c9b4f443c74cfd6088027fb830ad49c59eceefd
-
C:\Users\Admin\AppData\Local\Temp\BCFC.exeFilesize
1.1MB
MD58a4cb873c04ffe6859dd5bb381fed9b2
SHA1c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
C:\Users\Admin\AppData\Local\Temp\BCFC.exeFilesize
1.1MB
MD58a4cb873c04ffe6859dd5bb381fed9b2
SHA1c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\viewerps.dllFilesize
726KB
MD5ddaccee169da4acce9f7377688f27fde
SHA199ac72ff0d7ec2447d4e1879150d0f071aa8fed6
SHA256f688959f9119dee5943f8c7c0f97b794512aa14d7662886353e35c94a410f6cb
SHA512b61294e9146efbf7732f3def9d5608dbdfac1fe68325a2029b32b4d878317429a2552d7dd76db012fcfb03dc1642116f40bcb16d815215d8a4569e58f247922b
-
memory/1696-176-0x00000000042D0000-0x00000000049F5000-memory.dmpFilesize
7.1MB
-
memory/1696-175-0x00000000042D0000-0x00000000049F5000-memory.dmpFilesize
7.1MB
-
memory/1696-172-0x0000000000000000-mapping.dmp
-
memory/2104-174-0x0000000003010000-0x0000000003735000-memory.dmpFilesize
7.1MB
-
memory/2104-164-0x0000000003010000-0x0000000003735000-memory.dmpFilesize
7.1MB
-
memory/2240-133-0x00000000006B0000-0x00000000006B9000-memory.dmpFilesize
36KB
-
memory/2240-134-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2240-135-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2240-132-0x0000000000718000-0x000000000072E000-memory.dmpFilesize
88KB
-
memory/3140-136-0x0000000000000000-mapping.dmp
-
memory/3140-141-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3140-145-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3140-139-0x000000000211E000-0x00000000021F4000-memory.dmpFilesize
856KB
-
memory/3140-140-0x0000000002300000-0x0000000002415000-memory.dmpFilesize
1.1MB
-
memory/3144-150-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-148-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-153-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-146-0x0000000005040000-0x0000000005765000-memory.dmpFilesize
7.1MB
-
memory/3144-142-0x0000000000000000-mapping.dmp
-
memory/3144-147-0x0000000005040000-0x0000000005765000-memory.dmpFilesize
7.1MB
-
memory/3144-160-0x0000000005040000-0x0000000005765000-memory.dmpFilesize
7.1MB
-
memory/3144-149-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-157-0x0000000003E09000-0x0000000003E0B000-memory.dmpFilesize
8KB
-
memory/3144-152-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-151-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3432-178-0x0000000000000000-mapping.dmp
-
memory/4028-177-0x0000000000000000-mapping.dmp
-
memory/4760-158-0x0000000000910000-0x0000000000B29000-memory.dmpFilesize
2.1MB
-
memory/4760-159-0x000001E707D00000-0x000001E707F2A000-memory.dmpFilesize
2.2MB
-
memory/4760-155-0x000001E7096D0000-0x000001E709810000-memory.dmpFilesize
1.2MB
-
memory/4760-156-0x000001E7096D0000-0x000001E709810000-memory.dmpFilesize
1.2MB
-
memory/4760-154-0x00007FF742D76890-mapping.dmp