Analysis
-
max time kernel
114s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14-07-2023 23:51
Static task
static1
Behavioral task
behavioral1
Sample
a85fc38903152fcf020fb5ac1d90aa10.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
a85fc38903152fcf020fb5ac1d90aa10.exe
Resource
win10v2004-20230703-en
General
-
Target
a85fc38903152fcf020fb5ac1d90aa10.exe
-
Size
164KB
-
MD5
a85fc38903152fcf020fb5ac1d90aa10
-
SHA1
caab463070bc5b97431e19344541f01fb06a0883
-
SHA256
2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
-
SHA512
6f591a5f75fad096dff024b745a5ca0219a149a93f38e47ebeaebfaa70a2694f524611fbfbeb559ade7818a6fcf16151b5521c720dec3472e2127c3c6fba87a2
-
SSDEEP
3072:yCLITMy2+o6bVAR9PMfBMbsIFD9T3WUNztymtohPwM5AJY:HLIgy7refNPFRWUptJR9O
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1540-110-0x0000000001D80000-0x0000000002180000-memory.dmp family_rhadamanthys behavioral1/memory/1540-111-0x0000000001D80000-0x0000000002180000-memory.dmp family_rhadamanthys behavioral1/memory/1540-112-0x0000000001D80000-0x0000000002180000-memory.dmp family_rhadamanthys behavioral1/memory/1540-113-0x0000000001D80000-0x0000000002180000-memory.dmp family_rhadamanthys behavioral1/memory/1540-126-0x0000000001D80000-0x0000000002180000-memory.dmp family_rhadamanthys behavioral1/memory/1540-129-0x0000000001D80000-0x0000000002180000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
2CAC.exedescription pid process target process PID 1540 created 1308 1540 2CAC.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 640 bcdedit.exe 664 bcdedit.exe -
Processes:
wbadmin.exepid process 1444 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 1308 Explorer.EXE -
Drops startup file 1 IoCs
Processes:
R4x%wa8d~-.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\R4x%wa8d~-.exe R4x%wa8d~-.exe -
Executes dropped EXE 6 IoCs
Processes:
2CAC.exe(%pbQt_y3J.exeR4x%wa8d~-.exezlT.exeR4x%wa8d~-.exe(%pbQt_y3J.exepid process 1540 2CAC.exe 592 (%pbQt_y3J.exe 2768 R4x%wa8d~-.exe 3020 zlT.exe 944 R4x%wa8d~-.exe 1712 (%pbQt_y3J.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
R4x%wa8d~-.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R4x%wa8d~- = "C:\\Users\\Admin\\AppData\\Local\\R4x%wa8d~-.exe" R4x%wa8d~-.exe Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\R4x%wa8d~- = "C:\\Users\\Admin\\AppData\\Local\\R4x%wa8d~-.exe" R4x%wa8d~-.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
R4x%wa8d~-.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-722410544-1258951091-1992882075-1000\desktop.ini R4x%wa8d~-.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-722410544-1258951091-1992882075-1000\desktop.ini R4x%wa8d~-.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
(%pbQt_y3J.exedescription pid process target process PID 592 set thread context of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe -
Drops file in Program Files directory 22 IoCs
Processes:
R4x%wa8d~-.exedescription ioc process File created C:\Program Files\7-Zip\7-zip.chm.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7z.exe R4x%wa8d~-.exe File created C:\Program Files\7-Zip\7zFM.exe.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File created C:\Program Files\7-Zip\History.txt.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7z.dll.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File created C:\Program Files\7-Zip\7z.exe.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File created C:\Program Files\7-Zip\7zCon.sfx.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File created C:\Program Files\7-Zip\7zG.exe.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\descript.ion R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe R4x%wa8d~-.exe File created C:\Program Files\7-Zip\descript.ion.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\History.txt R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll R4x%wa8d~-.exe File created C:\Program Files\7-Zip\7-zip32.dll.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7z.sfx R4x%wa8d~-.exe File created C:\Program Files\7-Zip\7z.sfx.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\7zG.exe R4x%wa8d~-.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt R4x%wa8d~-.exe File created C:\Program Files\7-Zip\Lang\af.txt.id[AD71426D-3483].[[email protected]].8base R4x%wa8d~-.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a85fc38903152fcf020fb5ac1d90aa10.exe(%pbQt_y3J.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a85fc38903152fcf020fb5ac1d90aa10.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a85fc38903152fcf020fb5ac1d90aa10.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a85fc38903152fcf020fb5ac1d90aa10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI (%pbQt_y3J.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI (%pbQt_y3J.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI (%pbQt_y3J.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1340 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a85fc38903152fcf020fb5ac1d90aa10.exeExplorer.EXEpid process 2000 a85fc38903152fcf020fb5ac1d90aa10.exe 2000 a85fc38903152fcf020fb5ac1d90aa10.exe 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1308 Explorer.EXE -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
a85fc38903152fcf020fb5ac1d90aa10.exeExplorer.EXEpid process 2000 a85fc38903152fcf020fb5ac1d90aa10.exe 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
R4x%wa8d~-.exedescription pid process Token: SeDebugPrivilege 2768 R4x%wa8d~-.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Explorer.EXE2CAC.exe(%pbQt_y3J.exeR4x%wa8d~-.exedescription pid process target process PID 1308 wrote to memory of 1540 1308 Explorer.EXE 2CAC.exe PID 1308 wrote to memory of 1540 1308 Explorer.EXE 2CAC.exe PID 1308 wrote to memory of 1540 1308 Explorer.EXE 2CAC.exe PID 1308 wrote to memory of 1540 1308 Explorer.EXE 2CAC.exe PID 1308 wrote to memory of 2424 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2424 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2424 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2424 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2424 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 1344 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 1344 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 1344 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 1344 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2408 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2408 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2408 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2408 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2408 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2864 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2864 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2864 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2864 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2924 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2924 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2924 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2924 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2924 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2320 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2320 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2320 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2320 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2320 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3060 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3060 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3060 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3060 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3060 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3064 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3064 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3064 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 3064 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2724 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2724 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2724 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2724 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 2724 1308 Explorer.EXE explorer.exe PID 1540 wrote to memory of 2840 1540 2CAC.exe certreq.exe PID 1540 wrote to memory of 2840 1540 2CAC.exe certreq.exe PID 1540 wrote to memory of 2840 1540 2CAC.exe certreq.exe PID 1540 wrote to memory of 2840 1540 2CAC.exe certreq.exe PID 1540 wrote to memory of 2840 1540 2CAC.exe certreq.exe PID 1540 wrote to memory of 2840 1540 2CAC.exe certreq.exe PID 592 wrote to memory of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe PID 592 wrote to memory of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe PID 592 wrote to memory of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe PID 592 wrote to memory of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe PID 592 wrote to memory of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe PID 592 wrote to memory of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe PID 592 wrote to memory of 1712 592 (%pbQt_y3J.exe (%pbQt_y3J.exe PID 2768 wrote to memory of 2552 2768 R4x%wa8d~-.exe cmd.exe PID 2768 wrote to memory of 2552 2768 R4x%wa8d~-.exe cmd.exe PID 2768 wrote to memory of 2552 2768 R4x%wa8d~-.exe cmd.exe PID 2768 wrote to memory of 2552 2768 R4x%wa8d~-.exe cmd.exe PID 2768 wrote to memory of 2540 2768 R4x%wa8d~-.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
outlook_win_path 1 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a85fc38903152fcf020fb5ac1d90aa10.exe"C:\Users\Admin\AppData\Local\Temp\a85fc38903152fcf020fb5ac1d90aa10.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2CAC.exeC:\Users\Admin\AppData\Local\Temp\2CAC.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\AFEF.exeC:\Users\Admin\AppData\Local\Temp\AFEF.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\B1E3.exeC:\Users\Admin\AppData\Local\Temp\B1E3.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe"C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe"C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe"C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe"C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Users\Admin\AppData\Local\Microsoft\zlT.exe"C:\Users\Admin\AppData\Local\Microsoft\zlT.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[AD71426D-3483].[[email protected]].8baseFilesize
104.6MB
MD5ae65977c672aa0868f3a2314f560d8e1
SHA15e0e770560ba9c78f9413bfa6d90a27cbe1be209
SHA2565f17c6dc9f3d06f60d6334ca23ef5ca168e2313d722ff52e624cdd929b5ce5ac
SHA512c081d4aef47c386ca5f5f93a636a83fbe68e11087d6beaad9fd9f7b8252b2a9a62bcd004838ac62f3589cab8bad322907199aa0491882db8c54c95c73b3043ae
-
C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\(%pbQt_y3J.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\R4x%wa8d~-.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\zlT.exeFilesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Local\Temp\2CAC.exeFilesize
374KB
MD5aaf3d68aeea347268ede50e621ca21ce
SHA10e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA25609c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA51261416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0
-
C:\Users\Admin\AppData\Local\Temp\2CAC.exeFilesize
374KB
MD5aaf3d68aeea347268ede50e621ca21ce
SHA10e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA25609c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA51261416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0
-
C:\Users\Admin\AppData\Local\Temp\2CAC.exeFilesize
374KB
MD5aaf3d68aeea347268ede50e621ca21ce
SHA10e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA25609c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA51261416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0
-
C:\Users\Admin\AppData\Local\Temp\AFEF.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Temp\AFEF.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Temp\B1E3.exeFilesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Local\Temp\B1E3.exeFilesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\cookies.sqlite.id[AD71426D-3483].[[email protected]].8baseFilesize
96KB
MD5a7f33ff4cc6ee1a5780f4f331f225425
SHA1a017f8557467b81cbfb0912e0cdd4c5f48a93dd9
SHA2567ccbe0db1203efb774481ce02128d81098a5b147fb27ac77f6c020b42c72cedf
SHA5129c4553dff6c917c73d833c314800bed2b140052faef4fe3a3dfd1cbb18294332de5f84a6d5135fc0d5c4117b23de250a346175f1caedc5e4171e82f8954e5970
-
memory/592-167-0x00000000005D0000-0x00000000006D0000-memory.dmpFilesize
1024KB
-
memory/592-168-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/776-3264-0x0000000000080000-0x00000000000EB000-memory.dmpFilesize
428KB
-
memory/776-3258-0x00000000001D0000-0x0000000000245000-memory.dmpFilesize
468KB
-
memory/776-3292-0x0000000000080000-0x00000000000EB000-memory.dmpFilesize
428KB
-
memory/776-3257-0x0000000000080000-0x00000000000EB000-memory.dmpFilesize
428KB
-
memory/944-3034-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/944-3035-0x0000000000610000-0x0000000000710000-memory.dmpFilesize
1024KB
-
memory/1076-3323-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/1076-3302-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/1076-3307-0x0000000000070000-0x0000000000077000-memory.dmpFilesize
28KB
-
memory/1308-58-0x0000000002590000-0x00000000025A6000-memory.dmpFilesize
88KB
-
memory/1308-417-0x0000000002CB0000-0x0000000002CC6000-memory.dmpFilesize
88KB
-
memory/1344-80-0x00000000000F0000-0x00000000000F9000-memory.dmpFilesize
36KB
-
memory/1344-94-0x00000000000F0000-0x00000000000F9000-memory.dmpFilesize
36KB
-
memory/1344-79-0x00000000000E0000-0x00000000000EF000-memory.dmpFilesize
60KB
-
memory/1344-81-0x00000000000E0000-0x00000000000EF000-memory.dmpFilesize
60KB
-
memory/1540-112-0x0000000001D80000-0x0000000002180000-memory.dmpFilesize
4.0MB
-
memory/1540-111-0x0000000001D80000-0x0000000002180000-memory.dmpFilesize
4.0MB
-
memory/1540-125-0x0000000002870000-0x00000000028A6000-memory.dmpFilesize
216KB
-
memory/1540-105-0x00000000006F0000-0x00000000007F0000-memory.dmpFilesize
1024KB
-
memory/1540-106-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/1540-107-0x0000000000250000-0x00000000002C1000-memory.dmpFilesize
452KB
-
memory/1540-126-0x0000000001D80000-0x0000000002180000-memory.dmpFilesize
4.0MB
-
memory/1540-109-0x00000000002E0000-0x00000000002E7000-memory.dmpFilesize
28KB
-
memory/1540-110-0x0000000001D80000-0x0000000002180000-memory.dmpFilesize
4.0MB
-
memory/1540-118-0x0000000002870000-0x00000000028A6000-memory.dmpFilesize
216KB
-
memory/1540-117-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/1540-113-0x0000000001D80000-0x0000000002180000-memory.dmpFilesize
4.0MB
-
memory/1540-128-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/1540-129-0x0000000001D80000-0x0000000002180000-memory.dmpFilesize
4.0MB
-
memory/1540-116-0x00000000006F0000-0x00000000007F0000-memory.dmpFilesize
1024KB
-
memory/1712-418-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1712-174-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1712-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1712-172-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2000-55-0x00000000005E0000-0x00000000006E0000-memory.dmpFilesize
1024KB
-
memory/2000-56-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2000-57-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/2000-59-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2256-3440-0x0000000000090000-0x0000000000094000-memory.dmpFilesize
16KB
-
memory/2256-3445-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2256-3415-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2320-108-0x00000000000C0000-0x00000000000C9000-memory.dmpFilesize
36KB
-
memory/2320-92-0x00000000000D0000-0x00000000000D5000-memory.dmpFilesize
20KB
-
memory/2320-91-0x00000000000C0000-0x00000000000C9000-memory.dmpFilesize
36KB
-
memory/2408-82-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2408-83-0x0000000000090000-0x0000000000095000-memory.dmpFilesize
20KB
-
memory/2408-97-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2424-77-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2424-78-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2424-76-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB
-
memory/2424-89-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB
-
memory/2472-3673-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/2724-114-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/2724-100-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2724-102-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/2724-103-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2768-1378-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2768-3890-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2768-161-0x0000000000600000-0x0000000000700000-memory.dmpFilesize
1024KB
-
memory/2768-162-0x0000000000220000-0x000000000022F000-memory.dmpFilesize
60KB
-
memory/2768-164-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2768-175-0x0000000000600000-0x0000000000700000-memory.dmpFilesize
1024KB
-
memory/2768-3031-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2768-375-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2768-377-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2788-3545-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB
-
memory/2840-140-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-131-0x00000000001A0000-0x00000000001A7000-memory.dmpFilesize
28KB
-
memory/2840-159-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2840-156-0x00000000775F0000-0x0000000077799000-memory.dmpFilesize
1.7MB
-
memory/2840-148-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-147-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-146-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-145-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-144-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-143-0x00000000775F0000-0x0000000077799000-memory.dmpFilesize
1.7MB
-
memory/2840-142-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-160-0x00000000775F0000-0x0000000077799000-memory.dmpFilesize
1.7MB
-
memory/2840-115-0x0000000000060000-0x0000000000063000-memory.dmpFilesize
12KB
-
memory/2840-130-0x0000000000060000-0x0000000000063000-memory.dmpFilesize
12KB
-
memory/2840-141-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-133-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-134-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-138-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-136-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2840-135-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2864-84-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/2864-86-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/2864-85-0x0000000000070000-0x0000000000076000-memory.dmpFilesize
24KB
-
memory/2864-101-0x0000000000070000-0x0000000000076000-memory.dmpFilesize
24KB
-
memory/2924-87-0x00000000000B0000-0x00000000000D2000-memory.dmpFilesize
136KB
-
memory/2924-104-0x00000000000B0000-0x00000000000D2000-memory.dmpFilesize
136KB
-
memory/2924-90-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/2924-88-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/2992-3487-0x0000000000090000-0x000000000009A000-memory.dmpFilesize
40KB
-
memory/2992-3488-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2992-3486-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/3020-439-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3020-1964-0x00000000002B0000-0x00000000002B5000-memory.dmpFilesize
20KB
-
memory/3020-1963-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3020-460-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3020-440-0x00000000002B0000-0x00000000002B5000-memory.dmpFilesize
20KB
-
memory/3060-93-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/3060-95-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/3064-96-0x0000000000060000-0x000000000006D000-memory.dmpFilesize
52KB
-
memory/3064-98-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/3064-99-0x0000000000060000-0x000000000006D000-memory.dmpFilesize
52KB