Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2022 08:18
Static task
static1
Behavioral task
behavioral1
Sample
afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe
-
Size
235KB
-
MD5
5c242afb9e98da06edad4d5750b058bb
-
SHA1
08c077e72a96552ace13b263bcc9faa694d39465
-
SHA256
afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e
-
SHA512
697283c8a5001c4732313add8136ea1517510737f2ad5e93c9e29d09e23a9afd090851f331a8299c076d7f0eab4ef9e65afc3e984682e8b6442aee9aadd13e2c
-
SSDEEP
3072:urtL6TRWVqKlDfdiqwl/8b0sa1mLU8y5/LU8y5Fjwx3qB6xuqqb53y1teM:uL6qqKljdUlwho5orsRVx3E5
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1044-133-0x00000000005F0000-0x00000000005F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 224 F7E2.exe 3572 Sppyteaet.exe 2272 gdehsvf -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation F7E2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 372 Process not Found 688 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 224 set thread context of 2892 224 F7E2.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1944 2892 WerFault.exe 89 4788 224 WerFault.exe 84 3552 688 WerFault.exe 92 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gdehsvf Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gdehsvf Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gdehsvf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe -
Checks processor information in registry 2 TTPs 48 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet F7E2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information F7E2.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier F7E2.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data F7E2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision F7E2.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 F7E2.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor F7E2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 F7E2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1044 afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe 1044 afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found 372 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 372 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1044 afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe 2272 gdehsvf -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 3572 Sppyteaet.exe Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeDebugPrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found Token: SeShutdownPrivilege 372 Process not Found Token: SeCreatePagefilePrivilege 372 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3572 Sppyteaet.exe 688 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3572 Sppyteaet.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 688 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 224 372 Process not Found 84 PID 372 wrote to memory of 224 372 Process not Found 84 PID 372 wrote to memory of 224 372 Process not Found 84 PID 224 wrote to memory of 3572 224 F7E2.exe 88 PID 224 wrote to memory of 3572 224 F7E2.exe 88 PID 224 wrote to memory of 3572 224 F7E2.exe 88 PID 224 wrote to memory of 2892 224 F7E2.exe 89 PID 224 wrote to memory of 2892 224 F7E2.exe 89 PID 224 wrote to memory of 2892 224 F7E2.exe 89 PID 224 wrote to memory of 2892 224 F7E2.exe 89 PID 372 wrote to memory of 688 372 Process not Found 92 PID 372 wrote to memory of 688 372 Process not Found 92 PID 688 wrote to memory of 4808 688 chrome.exe 93 PID 688 wrote to memory of 4808 688 chrome.exe 93 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3356 688 chrome.exe 96 PID 688 wrote to memory of 3788 688 chrome.exe 97 PID 688 wrote to memory of 3788 688 chrome.exe 97 PID 688 wrote to memory of 2004 688 chrome.exe 98 PID 688 wrote to memory of 2004 688 chrome.exe 98 PID 688 wrote to memory of 2004 688 chrome.exe 98 PID 688 wrote to memory of 2004 688 chrome.exe 98 PID 688 wrote to memory of 2004 688 chrome.exe 98 PID 688 wrote to memory of 2004 688 chrome.exe 98 PID 688 wrote to memory of 2004 688 chrome.exe 98 PID 688 wrote to memory of 2004 688 chrome.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe"C:\Users\Admin\AppData\Local\Temp\afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1044
-
C:\Users\Admin\AppData\Local\Temp\F7E2.exeC:\Users\Admin\AppData\Local\Temp\F7E2.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3572
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
PID:2892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 13203⤵
- Program crash
PID:1944
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 12682⤵
- Program crash
PID:4788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2892 -ip 28921⤵PID:1300
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec93a4f50,0x7ffec93a4f60,0x7ffec93a4f702⤵PID:4808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,124776918347477934,10957025948407484523,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:22⤵PID:3356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,124776918347477934,10957025948407484523,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1968 /prefetch:82⤵PID:3788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,124776918347477934,10957025948407484523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:82⤵PID:2004
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 688 -s 35962⤵
- Program crash
PID:3552
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 224 -ip 2241⤵PID:4492
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 688 -ip 6881⤵PID:1952
-
C:\Users\Admin\AppData\Roaming\gdehsvfC:\Users\Admin\AppData\Roaming\gdehsvf1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD53db18a14cdeece8c83c2b462a98f7f78
SHA1784c8ee01a7447cb088cb436bd464ea6a4c33759
SHA25608dbb04950436e675ff2bc75841a233420877ad0075e4ba15c47d8050eb336f7
SHA512d5fc35613454766606cd7f46ddbc0bfae2d9922c834ec5ca20ef3c4b5c292d021bc5a518228f9c3b652a26b18254b2b351105f5581ea3dbf6b93b584551ed98b
-
Filesize
5.5MB
MD53db18a14cdeece8c83c2b462a98f7f78
SHA1784c8ee01a7447cb088cb436bd464ea6a4c33759
SHA25608dbb04950436e675ff2bc75841a233420877ad0075e4ba15c47d8050eb336f7
SHA512d5fc35613454766606cd7f46ddbc0bfae2d9922c834ec5ca20ef3c4b5c292d021bc5a518228f9c3b652a26b18254b2b351105f5581ea3dbf6b93b584551ed98b
-
Filesize
1.3MB
MD5ff6a5732355485b459248f586c2b6945
SHA107da3f03ef18e2eaddfceb050b68e93fd533f7a3
SHA256366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
SHA512379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749
-
Filesize
1.3MB
MD5ff6a5732355485b459248f586c2b6945
SHA107da3f03ef18e2eaddfceb050b68e93fd533f7a3
SHA256366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
SHA512379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749
-
Filesize
235KB
MD55c242afb9e98da06edad4d5750b058bb
SHA108c077e72a96552ace13b263bcc9faa694d39465
SHA256afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e
SHA512697283c8a5001c4732313add8136ea1517510737f2ad5e93c9e29d09e23a9afd090851f331a8299c076d7f0eab4ef9e65afc3e984682e8b6442aee9aadd13e2c
-
Filesize
235KB
MD55c242afb9e98da06edad4d5750b058bb
SHA108c077e72a96552ace13b263bcc9faa694d39465
SHA256afe397349912cff8044a95b3c5ec89643097044798490c366b36c4921553453e
SHA512697283c8a5001c4732313add8136ea1517510737f2ad5e93c9e29d09e23a9afd090851f331a8299c076d7f0eab4ef9e65afc3e984682e8b6442aee9aadd13e2c