Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 14:20
Static task
static1
Behavioral task
behavioral1
Sample
3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe
Resource
win10v2004-20221111-en
General
-
Target
3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe
-
Size
311KB
-
MD5
e471ee462cabc829b7f98094ec9ed40c
-
SHA1
6f9bc1e5a5df156c9f0fc8fbd6cfc52eef7dd868
-
SHA256
3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc
-
SHA512
22b5ae685ea50787fc5048e9ce894fe7aaca952b321e2af66967a3fb676f578754eb194a710af7072e3604e18a0a016f2df8a96f05d0ccf1009fb3c4e89b3259
-
SSDEEP
6144:sSlLoqgLs+GSquhTLIpbPIiIHmvEK8H4rWlRjO1n:ssUqgVqynIpbPIDGcKfrW9u
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/404-133-0x0000000002050000-0x0000000002059000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 30 2276 rundll32.exe 35 2276 rundll32.exe 54 2276 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
CAE6.exepid process 5076 CAE6.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\icudtl\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\icudtl.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\icudtl\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exesvchost.exepid process 2276 rundll32.exe 4564 svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2276 set thread context of 4360 2276 rundll32.exe rundll32.exe -
Drops file in Program Files directory 12 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\icudtl.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 760 5076 WerFault.exe CAE6.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe -
Checks processor information in registry 2 TTPs 50 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies registry class 30 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093559b7a100054656d7000003a0009000400efbe6b558a6c9355a27a2e00000000000000000000000000000000000000000000000000ed21d700540065006d007000000014000000 Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 1056 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exepid process 404 3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe 404 3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 1056 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1056 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exepid process 404 3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 Token: SeShutdownPrivilege 1056 Token: SeCreatePagefilePrivilege 1056 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 4360 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 1056 1056 -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
CAE6.exerundll32.exedescription pid process target process PID 1056 wrote to memory of 5076 1056 CAE6.exe PID 1056 wrote to memory of 5076 1056 CAE6.exe PID 1056 wrote to memory of 5076 1056 CAE6.exe PID 5076 wrote to memory of 2276 5076 CAE6.exe rundll32.exe PID 5076 wrote to memory of 2276 5076 CAE6.exe rundll32.exe PID 5076 wrote to memory of 2276 5076 CAE6.exe rundll32.exe PID 2276 wrote to memory of 4360 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 4360 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 4360 2276 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe"C:\Users\Admin\AppData\Local\Temp\3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:404
-
C:\Users\Admin\AppData\Local\Temp\CAE6.exeC:\Users\Admin\AppData\Local\Temp\CAE6.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239733⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4360 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 5282⤵
- Program crash
PID:760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5076 -ip 50761⤵PID:4492
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4736
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4564 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\icudtl.dll",GRkA2⤵PID:1612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\icudtl.dllFilesize
726KB
MD506a7ada0820f67af8a35319c67934c24
SHA1b79650b0ca8196131bea513a15c846f08e116aa1
SHA256e1a5cd53ba4d9022b6a25f1a5c818b53939fe64023271fccd4e2787e4f8953d9
SHA512f1bf92ffbac01291c32f294eeab24db607213da49db27cfab8e6b1aa8748a663381ebae569ad66d946a2dc095f3381004213292dc36e20742caa4937348475d2
-
C:\Program Files (x86)\WindowsPowerShell\Modules\icudtl.dllFilesize
726KB
MD506a7ada0820f67af8a35319c67934c24
SHA1b79650b0ca8196131bea513a15c846f08e116aa1
SHA256e1a5cd53ba4d9022b6a25f1a5c818b53939fe64023271fccd4e2787e4f8953d9
SHA512f1bf92ffbac01291c32f294eeab24db607213da49db27cfab8e6b1aa8748a663381ebae569ad66d946a2dc095f3381004213292dc36e20742caa4937348475d2
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
26KB
MD52bc8ee174a90308d275eda81bf42d95e
SHA1284647d3ee515e4794d1984d2f01989f33121d2d
SHA256d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8
SHA512fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c.xmlFilesize
3KB
MD57c7088d81be7468216906e3c2e9b171b
SHA12c4acc956ac68eae04b8f86c93a62f411ed730a7
SHA2569db8e860ebfbcec743ab4779801f4b4772ec6b5d295c894dd3a58c9767f08564
SHA5126a2e6a3a26cc0c98db5039514d56232d592ed44b72ebe27dfe9fb965ce6fedc4202ecc3f49cf6be01aaa4780b7ad31f158523c51a158ad99ad86c596794cc9c4
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftNotepad.xmlFilesize
957B
MD506f405331f1f99bd455f4afa7b8ee0cc
SHA1815d8d81c01208aef4bc1a0048b2d4f4171b26f6
SHA256b752d2c5a3c66c338fd6cd92224d5995be0eac8fd47092b8cd6ea2cc28a5e790
SHA512a2a771f97346a5db7ee8e948cba2c9e223848e1c395eb335a6e3609739c125e0414e7a254f5ac81ca4a28b04cf4e631ee69edaaf24ef534b96c01c30f96c3a2c
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD561f1f317648b7d7885bf9d4a97375d41
SHA1668faf90153bb15cac59db51caabd01a2317d5ef
SHA256ba835d772e98dc27ac2b4c5648c521bec38f88e944dc1f4472284eafd8a7e025
SHA51204c8b5ad471a8ff051aabc8137a088c5144c2e076534dec0785472de48ec135c2b954dd1d4c0f4ddeef3563c4e4724898a9a3b12b5f7d5771c69ea20350d2db2
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xmlFilesize
2KB
MD5b92eea712a8a63a66e21156d66a5fcfc
SHA186f3274afee32518c49307c92b586ca67fbd98ae
SHA256d6ca1a7c439c5e1d33f71959740e9991c89152ff6f4c429c146d13f40a4b428e
SHA51294577d5a1b344af5862e9f0ed430cbae21f4d955604684faf57e236a6aeb03f0340816dc8b4d758f943e24e105d0dce420984b082621f6f57745ba758870464f
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xmlFilesize
1KB
MD56097c7d404561758417639b12d27baf9
SHA121d00beeae632bd9e507c9fa76d64ebfc72d4618
SHA256df08eac8ede4a75785dcee3fc0819d22e2f9b6af07b2fe42149401aaa788f1d4
SHA512b4716a20095942973f2ac292acf8693d6a68fdb96317438f057039a31d19de1030622b092b0f02b61a409a5b6581baf7506cd4c58f79c4c36cf01abc131cc3db
-
C:\Users\Admin\AppData\Local\Temp\CAE6.exeFilesize
1.1MB
MD5076f3ebdf25ab73e33b760c7171db59a
SHA176ec6960e35a5b4adb6886479355c9a93bddcc00
SHA25657d4d742672d0b1a350de9a156f806404a137fe73c32363df3976a5205cade21
SHA5128e40439ec3331b877b81ee3daf15bc647cdb00092e7d50bd5df47f322d200ea1e6e3e3d8cb3951c9d8d253ae8e56de0102f98f330a29d4ba950739feb7dddba5
-
C:\Users\Admin\AppData\Local\Temp\CAE6.exeFilesize
1.1MB
MD5076f3ebdf25ab73e33b760c7171db59a
SHA176ec6960e35a5b4adb6886479355c9a93bddcc00
SHA25657d4d742672d0b1a350de9a156f806404a137fe73c32363df3976a5205cade21
SHA5128e40439ec3331b877b81ee3daf15bc647cdb00092e7d50bd5df47f322d200ea1e6e3e3d8cb3951c9d8d253ae8e56de0102f98f330a29d4ba950739feb7dddba5
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\icudtl.dllFilesize
726KB
MD506a7ada0820f67af8a35319c67934c24
SHA1b79650b0ca8196131bea513a15c846f08e116aa1
SHA256e1a5cd53ba4d9022b6a25f1a5c818b53939fe64023271fccd4e2787e4f8953d9
SHA512f1bf92ffbac01291c32f294eeab24db607213da49db27cfab8e6b1aa8748a663381ebae569ad66d946a2dc095f3381004213292dc36e20742caa4937348475d2
-
memory/404-135-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/404-132-0x00000000004E9000-0x00000000004FE000-memory.dmpFilesize
84KB
-
memory/404-134-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/404-133-0x0000000002050000-0x0000000002059000-memory.dmpFilesize
36KB
-
memory/1612-170-0x0000000000000000-mapping.dmp
-
memory/1612-172-0x00000000049F0000-0x0000000005115000-memory.dmpFilesize
7.1MB
-
memory/1612-174-0x00000000049F0000-0x0000000005115000-memory.dmpFilesize
7.1MB
-
memory/2276-154-0x0000000004F19000-0x0000000004F1B000-memory.dmpFilesize
8KB
-
memory/2276-145-0x00000000046B0000-0x0000000004DD5000-memory.dmpFilesize
7.1MB
-
memory/2276-152-0x0000000004EA0000-0x0000000004FE0000-memory.dmpFilesize
1.2MB
-
memory/2276-139-0x0000000000000000-mapping.dmp
-
memory/2276-146-0x00000000046B0000-0x0000000004DD5000-memory.dmpFilesize
7.1MB
-
memory/2276-147-0x0000000004EA0000-0x0000000004FE0000-memory.dmpFilesize
1.2MB
-
memory/2276-148-0x0000000004EA0000-0x0000000004FE0000-memory.dmpFilesize
1.2MB
-
memory/2276-159-0x00000000046B0000-0x0000000004DD5000-memory.dmpFilesize
7.1MB
-
memory/2276-149-0x0000000004EA0000-0x0000000004FE0000-memory.dmpFilesize
1.2MB
-
memory/2276-151-0x0000000004EA0000-0x0000000004FE0000-memory.dmpFilesize
1.2MB
-
memory/2276-150-0x0000000004EA0000-0x0000000004FE0000-memory.dmpFilesize
1.2MB
-
memory/3984-175-0x0000000000000000-mapping.dmp
-
memory/4360-155-0x0000018B78B60000-0x0000018B78CA0000-memory.dmpFilesize
1.2MB
-
memory/4360-158-0x0000000000E50000-0x0000000001069000-memory.dmpFilesize
2.1MB
-
memory/4360-157-0x0000018B78B60000-0x0000018B78CA0000-memory.dmpFilesize
1.2MB
-
memory/4360-156-0x0000018B77190000-0x0000018B773BA000-memory.dmpFilesize
2.2MB
-
memory/4360-153-0x00007FF6E22E6890-mapping.dmp
-
memory/4360-160-0x0000018B77190000-0x0000018B773BA000-memory.dmpFilesize
2.2MB
-
memory/4564-173-0x0000000003B60000-0x0000000004285000-memory.dmpFilesize
7.1MB
-
memory/4564-164-0x0000000003B60000-0x0000000004285000-memory.dmpFilesize
7.1MB
-
memory/5076-144-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/5076-143-0x0000000002260000-0x0000000002375000-memory.dmpFilesize
1.1MB
-
memory/5076-142-0x0000000002159000-0x000000000222F000-memory.dmpFilesize
856KB
-
memory/5076-136-0x0000000000000000-mapping.dmp