Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2022 09:36
Static task
static1
Behavioral task
behavioral1
Sample
554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe
Resource
win10v2004-20221111-en
General
-
Target
554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe
-
Size
227KB
-
MD5
ba49871be66ed67378d5713ceaa111ff
-
SHA1
f6a515b0f4d5bc1ff2ec837ec07ba55b197a25a7
-
SHA256
554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019
-
SHA512
c648e9c19008fd2d891ba7b8dcd193aeb13248270c61827e32688feba6eacf25cbf64f9b0c60a1f6d47c5896e968f45e62e8c87fcec1371b351d62444d3d7af4
-
SSDEEP
3072:+iZk7XLUO3915sUasekKzJcQ2wKozVfdRN1L1TzJ9Ds6nhWzgKr/so:jkjLUO3da6KFy9QVVRXBTBWzz/
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/720-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 32 3388 rundll32.exe 33 3388 rundll32.exe 67 3388 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
C74C.exe33E2.exepid process 2380 C74C.exe 2408 33E2.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\server_ok\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\server_ok.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\server_ok\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
33E2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 33E2.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exe33E2.exesvchost.exepid process 3388 rundll32.exe 2408 33E2.exe 2408 33E2.exe 5024 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3388 set thread context of 4040 3388 rundll32.exe rundll32.exe -
Drops file in Program Files directory 12 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\sendforsignature.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\WCChromeNativeMessagingHost.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\server_ok.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2240 2380 WerFault.exe C74C.exe 4364 2408 WerFault.exe 33E2.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe -
Checks processor information in registry 2 TTPs 29 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exe33E2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 33E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 33E2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2012 timeout.exe -
Processes:
description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar -
Modifies registry class 30 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009555ae54100054656d7000003a0009000400efbe6b558a6c9555b4542e00000000000000000000000000000000000000000000000000106e1c00540065006d007000000014000000 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 2888 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exepid process 720 554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe 720 554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 2888 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2888 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exepid process 720 554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 Token: SeShutdownPrivilege 2888 Token: SeCreatePagefilePrivilege 2888 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 4040 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 2888 2888 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
C74C.exerundll32.exe33E2.execmd.exedescription pid process target process PID 2888 wrote to memory of 2380 2888 C74C.exe PID 2888 wrote to memory of 2380 2888 C74C.exe PID 2888 wrote to memory of 2380 2888 C74C.exe PID 2380 wrote to memory of 3388 2380 C74C.exe rundll32.exe PID 2380 wrote to memory of 3388 2380 C74C.exe rundll32.exe PID 2380 wrote to memory of 3388 2380 C74C.exe rundll32.exe PID 3388 wrote to memory of 4040 3388 rundll32.exe rundll32.exe PID 3388 wrote to memory of 4040 3388 rundll32.exe rundll32.exe PID 3388 wrote to memory of 4040 3388 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2408 2888 33E2.exe PID 2888 wrote to memory of 2408 2888 33E2.exe PID 2888 wrote to memory of 2408 2888 33E2.exe PID 2408 wrote to memory of 2264 2408 33E2.exe cmd.exe PID 2408 wrote to memory of 2264 2408 33E2.exe cmd.exe PID 2408 wrote to memory of 2264 2408 33E2.exe cmd.exe PID 2264 wrote to memory of 2012 2264 cmd.exe timeout.exe PID 2264 wrote to memory of 2012 2264 cmd.exe timeout.exe PID 2264 wrote to memory of 2012 2264 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe"C:\Users\Admin\AppData\Local\Temp\554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C74C.exeC:\Users\Admin\AppData\Local\Temp\C74C.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141243⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2380 -ip 23801⤵
-
C:\Users\Admin\AppData\Local\Temp\33E2.exeC:\Users\Admin\AppData\Local\Temp\33E2.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\33E2.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 20322⤵
- Program crash
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2408 -ip 24081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\server_ok.dll",Mwso2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\server_ok.dllFilesize
797KB
MD58b83c0ae55ba64e7888b8637bb0b6068
SHA13116c06a6fd0edceb26b3d0de5edbc2902ae610f
SHA2565e9fd7bd536efcab88d2459f3682c29362ce470ff29b51b06ec53002b3fc5011
SHA512c2b92bf5f3110267fad236d10781069b58d64876b30fc5c181bd2b3b4b52ee98ea778ce5f8b16c681e711bc0a33fe0c9d045278ee5cb10cabbba60f4f0140d31
-
C:\Program Files (x86)\WindowsPowerShell\Modules\server_ok.dllFilesize
797KB
MD58b83c0ae55ba64e7888b8637bb0b6068
SHA13116c06a6fd0edceb26b3d0de5edbc2902ae610f
SHA2565e9fd7bd536efcab88d2459f3682c29362ce470ff29b51b06ec53002b3fc5011
SHA512c2b92bf5f3110267fad236d10781069b58d64876b30fc5c181bd2b3b4b52ee98ea778ce5f8b16c681e711bc0a33fe0c9d045278ee5cb10cabbba60f4f0140d31
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xmlFilesize
14KB
MD5cc78ff3a9bbf1967185797f3eac2090a
SHA180204fdfac8110dddc7e5c59ada69feef33a0614
SHA2567afbc0905a69b223e8098f1a9b34fcf454ba79535873933df9c12dc8660174c3
SHA5125ecf695a9be7c5521d1429fe696cb7d1d4d361b43f819b77e76828d5314e444ad61bd3c66f1cd7b7fea9c6138808a1194bc556cd5195658132121444d5a3636d
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD5523e3db688b33482435830ac1980a3cd
SHA1addec7b5761b5b11e316278a302caff9cb627b4a
SHA256c6928328f88e88b7a5a2199d1cde6c2582d36805245bcb3a874a7aa6b3131596
SHA512a21168dde28ccc11cac179be5b36e527b2d3cb0d3569e09228fe9d7ab065c88f054540248b1c92aba2e4d78ca788534d9c229d56669b9001e5d342a00edcd612
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
827B
MD5ded8a0ae2ade3e3cab8bfbfea00b969f
SHA173752c78795a78ef3b742ad41737959e6f51ee42
SHA256ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85
SHA5123c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftLync2013Win64.xmlFilesize
2KB
MD5e3a68bbd204d36868c6f5570e4576675
SHA1bc5c44144e8e962c62f7febabdb3d0ba20a8162a
SHA25611031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac
SHA5127c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft_Office_Office Feature Updates.xmlFilesize
6KB
MD5b293170595e747ad85d1fb7f2ee06eea
SHA10d09a9c16ba3a694aab8fe232a35b719201c0955
SHA25657dede2ef5f1d9538d211229bd5551c88c3c2df627782a7eb6ae98f8051f2535
SHA5120fd0a57941c8e394598e88183c258ee70f54e3c80b32610cf626df18f55d95fd9149ea6e1d055c317236e8b3f0980cf70314392f94e77144ad3fd9519142f12b
-
C:\Users\Admin\AppData\Local\Temp\33E2.exeFilesize
345KB
MD54bb4894b6642e0c45b78377021c13345
SHA15ccb0f727e41748fcdc624e9f9138d5bd6c2417a
SHA256032f11472c3c4a71a697ed0a656f265ac31af952667da0d6b716c6a54ac66bae
SHA512111da040c3690ebdc74bc86e14cbab7b0f23b26cacc863582874e95ea98aebcbaac776b850f03ad331fcdac7c5900cd7d6ab9222669bf478f047817f876b35ef
-
C:\Users\Admin\AppData\Local\Temp\33E2.exeFilesize
345KB
MD54bb4894b6642e0c45b78377021c13345
SHA15ccb0f727e41748fcdc624e9f9138d5bd6c2417a
SHA256032f11472c3c4a71a697ed0a656f265ac31af952667da0d6b716c6a54ac66bae
SHA512111da040c3690ebdc74bc86e14cbab7b0f23b26cacc863582874e95ea98aebcbaac776b850f03ad331fcdac7c5900cd7d6ab9222669bf478f047817f876b35ef
-
C:\Users\Admin\AppData\Local\Temp\C74C.exeFilesize
1.1MB
MD596e78dc64ec67e77e1738da9b733dc86
SHA1b9dd381c4f1d359ecb73dacd187642db300ab90c
SHA256ff48a20d7f33ff96546a5b6e060f6bb570b4e398d77991d720d60ddf4f30f167
SHA5127533b4fa266e003905638176710aec4203d9f5808505ef4d619eddd4570b2d6b58b99933d976903b60d0b7d23b485778962782f8d84a387316e416dcd62fcaf7
-
C:\Users\Admin\AppData\Local\Temp\C74C.exeFilesize
1.1MB
MD596e78dc64ec67e77e1738da9b733dc86
SHA1b9dd381c4f1d359ecb73dacd187642db300ab90c
SHA256ff48a20d7f33ff96546a5b6e060f6bb570b4e398d77991d720d60ddf4f30f167
SHA5127533b4fa266e003905638176710aec4203d9f5808505ef4d619eddd4570b2d6b58b99933d976903b60d0b7d23b485778962782f8d84a387316e416dcd62fcaf7
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
\??\c:\program files (x86)\windowspowershell\modules\server_ok.dllFilesize
797KB
MD58b83c0ae55ba64e7888b8637bb0b6068
SHA13116c06a6fd0edceb26b3d0de5edbc2902ae610f
SHA2565e9fd7bd536efcab88d2459f3682c29362ce470ff29b51b06ec53002b3fc5011
SHA512c2b92bf5f3110267fad236d10781069b58d64876b30fc5c181bd2b3b4b52ee98ea778ce5f8b16c681e711bc0a33fe0c9d045278ee5cb10cabbba60f4f0140d31
-
memory/380-204-0x0000000000000000-mapping.dmp
-
memory/720-135-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/720-134-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/720-133-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/720-132-0x0000000000792000-0x00000000007A2000-memory.dmpFilesize
64KB
-
memory/1396-205-0x0000000000000000-mapping.dmp
-
memory/2012-188-0x0000000000000000-mapping.dmp
-
memory/2264-187-0x0000000000000000-mapping.dmp
-
memory/2380-144-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/2380-143-0x00000000022A0000-0x00000000023D0000-memory.dmpFilesize
1.2MB
-
memory/2380-142-0x00000000007CF000-0x00000000008BD000-memory.dmpFilesize
952KB
-
memory/2380-136-0x0000000000000000-mapping.dmp
-
memory/2408-160-0x0000000000000000-mapping.dmp
-
memory/2408-189-0x0000000000583000-0x00000000005B1000-memory.dmpFilesize
184KB
-
memory/2408-190-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2408-163-0x0000000000583000-0x00000000005B1000-memory.dmpFilesize
184KB
-
memory/2408-164-0x0000000002090000-0x00000000020E3000-memory.dmpFilesize
332KB
-
memory/2408-165-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2408-166-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/3388-148-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-146-0x0000000004E20000-0x0000000005545000-memory.dmpFilesize
7.1MB
-
memory/3388-149-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-154-0x00000000057A9000-0x00000000057AB000-memory.dmpFilesize
8KB
-
memory/3388-145-0x0000000004E20000-0x0000000005545000-memory.dmpFilesize
7.1MB
-
memory/3388-139-0x0000000000000000-mapping.dmp
-
memory/3388-159-0x0000000004E20000-0x0000000005545000-memory.dmpFilesize
7.1MB
-
memory/3388-152-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-151-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-147-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-150-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/4040-153-0x00007FF7D6BA6890-mapping.dmp
-
memory/4040-155-0x000002241F8A0000-0x000002241F9E0000-memory.dmpFilesize
1.2MB
-
memory/4040-156-0x000002241F8A0000-0x000002241F9E0000-memory.dmpFilesize
1.2MB
-
memory/4040-157-0x0000000000C20000-0x0000000000E39000-memory.dmpFilesize
2.1MB
-
memory/4040-158-0x000002241DEB0000-0x000002241E0DA000-memory.dmpFilesize
2.2MB
-
memory/4748-199-0x0000000000000000-mapping.dmp
-
memory/4748-201-0x0000000004BD0000-0x00000000052F5000-memory.dmpFilesize
7.1MB
-
memory/4748-203-0x0000000004BD0000-0x00000000052F5000-memory.dmpFilesize
7.1MB
-
memory/5024-194-0x0000000003AC0000-0x00000000041E5000-memory.dmpFilesize
7.1MB
-
memory/5024-202-0x0000000003AC0000-0x00000000041E5000-memory.dmpFilesize
7.1MB