Analysis
-
max time kernel
300s -
max time network
222s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
25/09/2023, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe
Resource
win10-20230915-en
General
-
Target
147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe
-
Size
240KB
-
MD5
26cfc7945d27d22acf55e6bdf270a156
-
SHA1
937d51b0a8279b753d2b2e3cf346b88b2a7aa99b
-
SHA256
147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3
-
SHA512
22eca42df3db288244b6280c0d774f8d6ad0e120a3a5fc4ba80d11d69e38eeb7b4a5a4a2581d0d1db9aee7dfe10eea469f7c39c30e641f75d2c0cd0f0e6b94f1
-
SSDEEP
6144:pU5frpxdonyq4zaG2u5AOAeKCykFVquqp:pCrp0/9u5KeNykjquqp
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
pid Process 572 rabbevh -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1888 set thread context of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2824 1888 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b0000000002000000000010660000000100002000000041636ad35f57e80b15825684776238f0e8fc2e6c5f064813fc341ac23ade6215000000000e8000000002000020000000b51acc93b3f17fe9e8adaf9dd8ba62dd426e59b48e57e007e47a22ea928fef9020000000b0e68591889ff86f02567f9fd247cf5f5e1b89aa28d554a827f669008dd67e5c4000000088a82c1fab1408c55cc09ed928ec6b5f0160c46173b1077ee28205e96de1e5ffe76c79cc6840646eca2763e330168b5451f7e20c1fa4bf53949c37e821516281 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1414DF41-5B44-11EE-81AA-5EF5C936A496} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d5ffe950efd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b000000000200000000001066000000010000200000008d01f6e47205171685f8c9646c8321dd8892849417f86413cf4a3d3dc6a91d5a000000000e80000000020000200000001a21e4d48403a210ee889876458d82001471dbe826477dde395365713a8d1bcb90000000f38c70f54360d3a87cc48416852f2c140de58bdc0d1f80e95df20afe5f9c1f1da615d3255beff3c4229cf37d1c7723935c222ce425c981e526dbc3891684c08bc906dbcdb44e72b263ad838258ba6ee8655950aa32de1fd81fd6f909dabaf8fd42b9bf06389b5fcee3556dc40ff171b0d8f6a0957826b3a99b6b8f31e1d79787ffb5e62728f39288c4972d91d5f6565c40000000806d9d34b09d3320481a0acb5d6a6540c1a1cd7fbe944397fc4929030667abfc8034e77e1867153f35e476ac8a28fb8506ada8a7c73ac6d31546539b3092e253 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401767712" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13E7A521-5B44-11EE-81AA-5EF5C936A496} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3044 AppLaunch.exe 3044 AppLaunch.exe 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2840 iexplore.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3044 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1348 Process not Found Token: SeShutdownPrivilege 1348 Process not Found Token: SeShutdownPrivilege 1348 Process not Found -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2508 iexplore.exe 2840 iexplore.exe 1348 Process not Found 1348 Process not Found 1348 Process not Found 1348 Process not Found -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1348 Process not Found -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2508 iexplore.exe 2508 iexplore.exe 2880 IEXPLORE.EXE 2880 IEXPLORE.EXE 2840 iexplore.exe 2840 iexplore.exe 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 3044 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 28 PID 1888 wrote to memory of 2824 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 29 PID 1888 wrote to memory of 2824 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 29 PID 1888 wrote to memory of 2824 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 29 PID 1888 wrote to memory of 2824 1888 147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe 29 PID 1348 wrote to memory of 2388 1348 Process not Found 32 PID 1348 wrote to memory of 2388 1348 Process not Found 32 PID 1348 wrote to memory of 2388 1348 Process not Found 32 PID 2388 wrote to memory of 2508 2388 cmd.exe 34 PID 2388 wrote to memory of 2508 2388 cmd.exe 34 PID 2388 wrote to memory of 2508 2388 cmd.exe 34 PID 2388 wrote to memory of 2840 2388 cmd.exe 36 PID 2388 wrote to memory of 2840 2388 cmd.exe 36 PID 2388 wrote to memory of 2840 2388 cmd.exe 36 PID 2508 wrote to memory of 2880 2508 iexplore.exe 37 PID 2508 wrote to memory of 2880 2508 iexplore.exe 37 PID 2508 wrote to memory of 2880 2508 iexplore.exe 37 PID 2508 wrote to memory of 2880 2508 iexplore.exe 37 PID 2840 wrote to memory of 1356 2840 iexplore.exe 38 PID 2840 wrote to memory of 1356 2840 iexplore.exe 38 PID 2840 wrote to memory of 1356 2840 iexplore.exe 38 PID 2840 wrote to memory of 1356 2840 iexplore.exe 38 PID 584 wrote to memory of 572 584 taskeng.exe 43 PID 584 wrote to memory of 572 584 taskeng.exe 43 PID 584 wrote to memory of 572 584 taskeng.exe 43 PID 584 wrote to memory of 572 584 taskeng.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe"C:\Users\Admin\AppData\Local\Temp\147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 922⤵
- Program crash
PID:2824
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\66CE.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3B7CA295-7E1C-48CC-837B-61658D25BF90} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Roaming\rabbevhC:\Users\Admin\AppData\Roaming\rabbevh2⤵
- Executes dropped EXE
PID:572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5e8be185e5ff6d9674711c31abfba4a70
SHA1d3c9ed05bbf4343eab56ecefdc84a24d940ecc3c
SHA256838e7a1c02f45f5113075066066cd361bf5e4bb58fd8abd0ba624b828de15e09
SHA512eabdedd43fb99440890e2be2645f79c24c52301534143c57d00cc53efbed834cc964f3e0ba758db8ca78878437df6c4a1dc3d1d207e05157f98a83e65b4cddbd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD57262c53beb42b7383f3a8d2c132051d1
SHA1c4b7e8799b5e2ff2c549bd7ea1d1496cc7e70686
SHA25688b545334a4ee9a2552a926ef85a572a101ffa5f6aecd0f424c0ce4511634aef
SHA5124f62bfc88d345ca0e0d91689c6ad585df08b8bec7ed18b3c1be1d3f8a6e8f73dc8a87f6193b580b3cacd30f20969a56c623f118ceb9377ab4fca1e12b0e8ee9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD534fc12de01641780f94c45978b8d68a2
SHA1d662fc33d4f91a4987f7e710c212e2e280d94cbc
SHA2565205135707c9736dda8fd86c9506d82ba7ace0bfef5d0c7136c911a58ef9054c
SHA5120258ea13cd503109b9b7b6b51039eb8394b147165d5330986e6e9544e7151b0c498f997d728a4e3d94c330ee71132314291e364dd658c83903f5a786fc5a1924
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5f2f9da16817f9385fd4614107d8dcea9
SHA1bc925ca34c81031e071e8106507ee51e1161c736
SHA2565bbc12e37190dc9d98593243fe8fc22b8639e753c814f8579325bd6fb9ea5d57
SHA512674827147f1a3e353d0a7705ecc01a89bef30e8c3f1f0408f8760948cb67d28401c3b6127eb125b36311d3a037685ee098743048101afe40404ed9b9ce6333c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD591498faa0d4eabc35d9a69e6bcad85ce
SHA19a08a9e2b2a9f441e12df39e2f8ee050f6a362e9
SHA25603ec98cea9c24edd384a0e5ef3428b54d0fb6baad43560ea80fad7842b0dcb9b
SHA51243fd96975dd6d334ef99d22f0da9a410a58e95914f5ba02257550b598afd31594bc7ab245ab0852c6036c552b10e3b6e71176a35cf667dba29673795146a6705
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5969e69e48d8fbe27453dd056c8816447
SHA1ef8aa51a1949296902c2c637b056ac870b900891
SHA2566be903afc0ba77b6e955428ee37109746f64088df0b45a56af391f28c65ee9aa
SHA51225c9ddbddf62c75f97dcf9f3d2e86d6597d1762bf825fe10c1eb2d18574bd8b72da5ca43289f3b342b366d7c301291d85b2970154f505b9c18967e3560853583
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD55c44dcdfb500e9ba85aa4b21f2a18c2f
SHA1f45152ddadfc2d07681f851f187164251a42134b
SHA2565623a9580641b23d5eb033112c71ee97e789093f20ffe947b9a13a911327d615
SHA512aa5e7342e41ef0acb470a74c3cbf1c84ec45a25b62c4e9e2af56c2002f606a9c6e1c9c48bd8e5ace4d4bd0b9b86e33990bc08afc9d63506ac400acd5fd953201
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5c81dcce734d9be4d59635ef916bcdd2e
SHA1c24dca77506b008e37259fb77160c189f62b5a25
SHA256a1813532950d5ed5e032c928ca138685bc2330d7184c58c54a8e89edde96db59
SHA51257845e562ad775e2799d69cdd725697a227050e0902b110ed11f36aaf532aba1946931070d7550e143f2454a8df220f257a3c7753f1c61b8deb677df1c97b3e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5d8aa8c50259783620266e61ce4a3f641
SHA142905c8e21000150e1fc10054e29dc52f7829fbf
SHA2565dada8d0bf7da7fddc1ed6fd8f439a11d67da6550608de40646beefcbe7eab6d
SHA5128e1191909b4296f6acd199e13bf9c5b319d2d85cde706b0e56d62a5880a3ce5ee442c3a1149eb42ceccd7e5f34564009b13775fbc32e033978d65b5013aa8870
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD58d0147e136e6cafa6a662442edc89c1b
SHA1fdc45b8f7826483e4a33ddf98600c22098230fae
SHA256a43b054fe0aede9f3e64b1a1a00dffda37dac738ea6b14d3e98d621f6f3dd4e7
SHA5124406ca6fcae5e8d20f6857aed63e8eb0f9465356c01eb49171bec562ed8f18e83d77c9e7ed57e31190e51af578ce4f2a08730014e80f555f6e3db79976bb4725
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5d140b382f5fd9dd2c1871f0e978d6acf
SHA19976d3a3704ca5406a85c6819ea8b4a33245f4cb
SHA256517cae78b7638e70bc3bfbd4a833b91b4674c772906a411e6fbc42d0be661988
SHA512e09dbfee415831a306440aab6fe3d787dd0c114342dc7a9d5af7710f6a159fdd11350cd56a184b18f1bb033ddc96072610060d9a8fcf549b5c92fa7a19a31912
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5649eda375b8f6f4d3a01cdbca7728f0a
SHA15421b2d079235868db4a38e8614e82ac8c81c4ec
SHA256dab80598b9fc294919181d26e5b6df22792d9f685c1e7b1b97f297550eee7ee7
SHA51280feae68d398b8ce77596907dfe21d9deef9391d77c0b86166b91a114958cd00da419b7cf11b2de98080b3518456577ca8805a4490d7d1445c8a1612af6de96f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5675a1efba7651fa194afbd352bb9aa38
SHA1bcc1e257071920f6bb2afa98f7c7ffb53205debf
SHA256feb33006d7e91368a2f78d3588afdb45651572bae311cacbfed0e0b133cc2f81
SHA5123d2720ee917b1869b130e84fe534ed00552bb42bda8f015d4239f9b0c30992521564f810b16556afe4aa228b862ddbed3706ccc907cba6471a1e38a3ff94846a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5956f3e4285cdf8979a08e93c53c6e299
SHA101edf6679195bbaf991c49b6ed3a2f5778beb176
SHA25678a8be4ac0aedef191189046c02b31854c7f4129fadbcc2d25a9f847f8d2d964
SHA512ab0366d7e330c11e59ce8162f6da8525f9fe59acf671ca48bb9e15cf810128bc918a1001e22b2ba21aa88688a4f06ab8b29c380b2182ed9cdef1124dd0c4b367
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD50853b5befbff945f549a33827b0fe94d
SHA1f3535739e846d7c9886dea4257aa3578bff55e8d
SHA25643ded0f84337ac349e781383f8ff1ea784faf2b2b519220982cbf61a06cc37d8
SHA512b8d25b1a36a7b23eb0d592322500d14f5d823252f9c4a088c4af973c4c5c05380f80b925e081efd2d08249095fc36eb92e897309a7cc7eb90e3446a49ebf4a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5d492ec10df3371071704d1b73f0abdce
SHA1ee0254709bc7a5bf6e85412a77941b4617c19a42
SHA2561cbd91237e78e823b7678645e7dddaacb7b278117bec6022f9dda0689b217882
SHA5128c7cbd2a55ceca600b9ec320a7fcc2fb38394439a745da9243f94da8dd313b434daf518c3b063295b010cc90778769794dddfece5181e1f3369f13416d37e581
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD507ffca917dc0401880ef0ed480675f08
SHA1ea68068131535d8660f68968dfc35374060f6dfe
SHA2560874bfccad951507a13ed2b714c602da453db59ff9b3008e9040c505b7aae87f
SHA512bafa6ac3f1bfb08f3a72f8f4cdd9b6a52d3537bd80cea1028cb3c330e877f602d049d781fdaeb9c2892b9e7f191cfe34f6b1bf0a68d41bf18599051c36e00522
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5893649671df3f6f51301d5019a097371
SHA1fe36287febc6cf03c0579e12a8f5ba9375af0c8c
SHA25643e6bece371e4f111c73842ed99c08985d65baede0c85d6036a50ad3ae8bc7b8
SHA51243630ebc8d4dffeb6b36497870042ae191ba1a0c29429a64227198453dd22258c04d2ecb92d3a80aff966e5c295f44aed71820a0fb146bc288c952f53c071217
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD54345474b10da67dcbb8ff625c6609e7f
SHA15e9944bf26c3c4e2ec132623977221e238fcba5d
SHA2564a583ef9b63d5d589a43c709b36674b8c71446de904c4f02820d2821ab728354
SHA512fd3a622fdf822935754129e79e202936e362f7f3b5e94548cb43bb88fdefa3b9c683764386e580d831eab3ba53418668a6792fcee19d84839a2cbf33d19a6cfd
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{13E7A521-5B44-11EE-81AA-5EF5C936A496}.dat
Filesize5KB
MD5d56e97e42a1c7033721b48ed729df90e
SHA16baa6fd6ee91a31007975f2d7d7f0e353adc0774
SHA256f48f914961fcc956c683c8fd49058b4076aa913c561e5e1e13352e8f5022ac99
SHA5127378aeb26c780c7ccab3beea9ad2fec10355939d8959f071f16b4c80f551823bb1accdbe9ce590dd810b08926e4a4c8dd311e5e3adc7ccf19869a8b3b5eb0f59
-
Filesize
5KB
MD5fe7bba1a7b0d6e5c633ae55b8318ca84
SHA11d48adeca5bc1380d106e73b564b77cafb508f77
SHA256623f65afbcfcd8dc9005a755df74c739e80b120720e9defbc931e2b0212b1a99
SHA5121bc4a7a917fe478b869027257f2559ebaee3ddf946679bf84c04705ceecd30a879988385347b49be2b046e4cbba93465c07f3fd2854ef890ee6070a9e11f6727
-
Filesize
9KB
MD5db256bf9f977838edf06297da5089c23
SHA14b8e68cfc0472f29e12b2eab4cfc2bb813165cd2
SHA256d91c41f9ee5d121550beebea64b62d74db37059c67c56e9e6535ece126062af6
SHA5124d994cee97cc64514260ed16149e36bb4a45d15cc6d9796909e7728b62ea4815961c1c88e1f0982e7d7141f749b958cfc10f9809b5743836e1f543eaf0c8f9d1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IOZ64VQ\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCB5UVUE\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4