Analysis
-
max time kernel
115s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2023, 15:04
Static task
static1
Behavioral task
behavioral1
Sample
b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe
Resource
win10v2004-20230831-en
General
-
Target
b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe
-
Size
216KB
-
MD5
9a96d0e2f9c295ab676be283a7e93565
-
SHA1
1e39acd938959c92da53e009969da54e2b43c308
-
SHA256
b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d
-
SHA512
b917419f203ef118f13e087a7eeba4ff1925a684fe34137fe9e583cfb6836adfa0e4dc7a59ae022c2d19e03a1955ba48d7ddb97b463eae88890f86af03f4cda2
-
SSDEEP
3072:e/ea4aZjLd76DboYo1cLCaw+GInmm8w57XjcC1hsy34ik/kwsurE5W7n:QZjLd6oDcLbGIm8Qu34ik/Ourv7
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1792 fvtwbde -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fvtwbde Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fvtwbde Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fvtwbde -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Modifies registry class 60 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f7840f05f6481501b109f0800aa002f954e0000 Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72} Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\FFlags = "18874369" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupView = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\FFlags = "18874385" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Mode = "4" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\LogicalViewMode = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByDirection = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByKey:PID = "0" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e8005398e082303024b98265d99428e115f0000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Rev = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\IconSize = "16" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000060000001800000030f125b7ef471a10a5f102608c9eebac0a000000f0000000334b179bff40d211a27e00c04fc3087102000000f0000000334b179bff40d211a27e00c04fc3087103000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" Process not Found Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3212 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3084 b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe 3084 b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3212 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3084 b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe 1792 fvtwbde -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found Token: SeShutdownPrivilege 3212 Process not Found Token: SeCreatePagefilePrivilege 3212 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3212 Process not Found 3212 Process not Found 3212 Process not Found 3212 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe"C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3084
-
C:\Users\Admin\AppData\Roaming\fvtwbdeC:\Users\Admin\AppData\Roaming\fvtwbde1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:4684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD59a96d0e2f9c295ab676be283a7e93565
SHA11e39acd938959c92da53e009969da54e2b43c308
SHA256b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d
SHA512b917419f203ef118f13e087a7eeba4ff1925a684fe34137fe9e583cfb6836adfa0e4dc7a59ae022c2d19e03a1955ba48d7ddb97b463eae88890f86af03f4cda2
-
Filesize
216KB
MD59a96d0e2f9c295ab676be283a7e93565
SHA11e39acd938959c92da53e009969da54e2b43c308
SHA256b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d
SHA512b917419f203ef118f13e087a7eeba4ff1925a684fe34137fe9e583cfb6836adfa0e4dc7a59ae022c2d19e03a1955ba48d7ddb97b463eae88890f86af03f4cda2