Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03-10-2023 13:58
Static task
static1
Behavioral task
behavioral1
Sample
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe
-
Size
731KB
-
MD5
3024f8b8500d2629b5d934d0ef334efb
-
SHA1
d2013e0488e50fe9039986129e46725c2353e0a7
-
SHA256
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
-
SHA512
b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
SSDEEP
12288:JqH3dU+ta6byR6WYlvZja6+hpKo8sRexHyoRwMt7zANdi:etU+YxYtARN6wUK0
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2156-25-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2156-28-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2156-30-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2536 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2332 cmd.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exe12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2536 set thread context of 2156 2536 svchost.exe ngen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2648 timeout.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05369101-61F5-11EE-A0E4-CE1068F0F1D9} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008363f501f6d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000dc80cc4c340a13bc2e0ad33592ab35d483e42e24ef8203cb953ba33c3e948e19000000000e800000000200002000000031e0b61c3ffc5d5e5492115792e5c05fa66c738593bc530d536dc185000957e890000000dad53e9c6f36c2f34114102370359835687d55a6d566e0d0e02190dbd81eb6d00d8470877357a32c4c2c5a67030ea61b210e856af6d77b9753fcb75c32350fa1035b1b9336ccd37909a644c86b5f4093c22ce3e381bd434c69324cf5fc4a17bec7962980863d915ef188725a9fc7816e5e1c59ed3645177a70cd6ec817a46e632196f04cebe103d401941dea4d2571cf400000006792f0a445ebc0a8761d7db66eccfb789ddba9e919f01a80434c418c207c55ac6a46d2d50e8b2b83a1ace5b03b02d593105b1f329df3aa287205c80268086c88 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402503415" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000ec0be11c4e3a6a7b65f8ca56f3020acde7df80ed9049e6c4d7d5dde0efb87bdc000000000e800000000200002000000096ff9b6b66c072a32ae9bbf88c1d7812b728efcc3091cd4eb171039c8d36d59320000000ac05213bb30aa53a6f4ac543e0e82f7a7d13bd99a324b6a0ed784751d45a33e340000000bd61e14c3584b303bdb5f8f12134a9a9dd67c0c015f4ea58d24debbdd08c4edc673a1a179bd868be1aaa58afa50410d594335de27c57b535645466f648d20e0d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exepowershell.exepid process 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe 2640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2640 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2520 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2520 iexplore.exe 2520 iexplore.exe 2360 IEXPLORE.EXE 2360 IEXPLORE.EXE 2360 IEXPLORE.EXE 2360 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.execmd.execmd.exesvchost.exengen.exeiexplore.exedescription pid process target process PID 1408 wrote to memory of 2324 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe cmd.exe PID 1408 wrote to memory of 2324 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe cmd.exe PID 1408 wrote to memory of 2324 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe cmd.exe PID 1408 wrote to memory of 2324 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe cmd.exe PID 1408 wrote to memory of 2332 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe cmd.exe PID 1408 wrote to memory of 2332 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe cmd.exe PID 1408 wrote to memory of 2332 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe cmd.exe PID 1408 wrote to memory of 2332 1408 12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe cmd.exe PID 2324 wrote to memory of 2756 2324 cmd.exe schtasks.exe PID 2324 wrote to memory of 2756 2324 cmd.exe schtasks.exe PID 2324 wrote to memory of 2756 2324 cmd.exe schtasks.exe PID 2324 wrote to memory of 2756 2324 cmd.exe schtasks.exe PID 2332 wrote to memory of 2648 2332 cmd.exe timeout.exe PID 2332 wrote to memory of 2648 2332 cmd.exe timeout.exe PID 2332 wrote to memory of 2648 2332 cmd.exe timeout.exe PID 2332 wrote to memory of 2648 2332 cmd.exe timeout.exe PID 2332 wrote to memory of 2536 2332 cmd.exe svchost.exe PID 2332 wrote to memory of 2536 2332 cmd.exe svchost.exe PID 2332 wrote to memory of 2536 2332 cmd.exe svchost.exe PID 2332 wrote to memory of 2536 2332 cmd.exe svchost.exe PID 2536 wrote to memory of 2640 2536 svchost.exe powershell.exe PID 2536 wrote to memory of 2640 2536 svchost.exe powershell.exe PID 2536 wrote to memory of 2640 2536 svchost.exe powershell.exe PID 2536 wrote to memory of 2640 2536 svchost.exe powershell.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2536 wrote to memory of 2156 2536 svchost.exe ngen.exe PID 2156 wrote to memory of 2520 2156 ngen.exe iexplore.exe PID 2156 wrote to memory of 2520 2156 ngen.exe iexplore.exe PID 2156 wrote to memory of 2520 2156 ngen.exe iexplore.exe PID 2156 wrote to memory of 2520 2156 ngen.exe iexplore.exe PID 2520 wrote to memory of 2360 2520 iexplore.exe IEXPLORE.EXE PID 2520 wrote to memory of 2360 2520 iexplore.exe IEXPLORE.EXE PID 2520 wrote to memory of 2360 2520 iexplore.exe IEXPLORE.EXE PID 2520 wrote to memory of 2360 2520 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe"C:\Users\Admin\AppData\Local\Temp\12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31_JC.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD115.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2648 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2360
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55c747c374fb8163c768e2d1e9f8d0bb5
SHA15b7dcf4f002ce0cafc0f1c8d819447a973231d5b
SHA2564998566f9222f389addee90929c9711241447f4cb600e3bdbb979fbbf6d1e280
SHA512eda242939cda58be07e457668325a6823c5312d88e677aa570793c5f78084f1f26d2611af4961771f06a677041a03320d2a6ce6e575d52a2faac55721f476423
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dea857cd35ed7911faf2eb1f3a435bca
SHA16654d89663c05056bf31442343083421c7a6ad21
SHA25642b3eef6605dd496bc0c3a554988bd66a17a9b89365a69e54090a168f26d14a8
SHA51201fa36ef9258cd7bedefa9dc5125811056a658e132c80ea1ed0ff7f45e28d8ff68f19fe642286d5ec3ba9fcc205a1536c8c2320af3f804b53c5b98ba02d8b473
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f7849a09418f04432c15bfd27c01ebe7
SHA1b5dc444daac2e5e682e67474680296ca114b3c69
SHA2563e3204ff0b228cb5e70c1db14b7c06b1e4cad1a8e4ed2dfe271bdaf35bafc0c2
SHA5125af31fff82956ad4e189af64ae8aa331ec8b8acad310d4780f4a79a1182c1038800176492eea11d255f5f3339eb8fda08d1387805590e103a910991402947cfe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d0d2cd691b66e3e197c2fd8f29952b76
SHA1848625ae94f6d99c4f366682832f3b0038ec0824
SHA2567f89528199fe2db735392c8470a5f9da6693c5be4151c386f13ac2b9063de30c
SHA5128b64b921ed9f84d657998df037dc5b112dcd3f19f756210bb0ff8968365e1987c3e338e103639893dd1b852baae3b4e0bb0098e06b8f867fc0ab1153c1c4c43c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dd90c099961d20ebbc5a2f566564571b
SHA16f793c4854816aa32c185b186ee57e6ae5c9eb88
SHA256b4c166c53e695b788bcd7183dc7222a0de685c586956d7a1d209559d63dc0b68
SHA512d8747961c5d96690ab7c9afb9ab432f80262544e142a39dbc5f73c9faff93cf7e39fa1ec049ea9b6f6c0c061ffdfb6edab4f9e121feb14d6b62efa7ca0d6a2ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54859abd36dab096c32ab4f52c363744a
SHA1f7829292a3040d354dc73e0119cd0882f5835490
SHA256de30a2ec9816de301b8f020fbfd8f208322df94d903a3195051c8df7afdd2c6f
SHA5128017dcb2f8187a6efaaf27630082fa6528eea3a57f2805d2cfeafc710c916064dfb1e3c22e72b25e3f7be5b79cc502c54a6aa0e27474381a9eab7b462851f510
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d1af783e54a8e5c3311928ba4845b675
SHA1b35d22059f31ce60aba07f89fa265a6f4ce7948a
SHA256d632d38e73696aed302884fbcb411507e3e715303e70e3522fc4788dd2aa61be
SHA5129625aa81015150f93295f7d7c81acf750e9ba61b8dfdb85957579ea3be7af2a268c7532d10a18221507161afbe5414914450f73fc4c5b9cc794a79df29e8d438
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d416805791ee5cf6fcf5314ceb4757a5
SHA1ea2bdf352b33fc4a7884f4db89e5e3e4ad1d7b7e
SHA25648cc5c805f6cbcd830298fa45b9ec3b8cd60961ad6f9ac63f3866f518a24bedc
SHA512d19a930cd93eadd655742efca1bfa841da426d3f39f975b4650eae8de2e9d55f6dfd57e55322787647e3a7afec56992923d98f2e62493171441bb5e13dd1e63c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bc071a650121c94c14fa3ce8cbf15dde
SHA12319823c8a524d4bc55be752cb2e3c9177cdb152
SHA256e367c153279b09cc8054b8899a86ccc91060374ab657f858e02ec221be1abecb
SHA512e453fe3c03b0e5c7795ad79b99752e79f4d61addeac9c283f76c9c84d0d800d9ff173e62a514e9921a5702256a767647cd879043bc8486d7dbff9a9805a0c305
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d90ca5321433fda699f1ad436fc992b4
SHA17bd34d0e9d97df2d8f274f1a4a62f30bfb44bbc1
SHA256e28b49e45422dd185d2476e64faed3c2cbdcb886a56b42c614e911dec3956983
SHA5129602868bc76aa870724dbfa8418c43d0fbc220f80a5b6687e7ea27ac48a8f4557f7515bed1f6538c4996498ffa9e5672cca753ffa7dd14a7df6478b3760e5e9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a43b1e5d144459bb0ccad76b68f7f3ef
SHA1740306bac8460b90c0756b7e37f0d7243b2189e0
SHA2563b8b4138c5ff0c080b923ca9b8c7f23cd0b3415ec9167ddae3d19ea6d60922b0
SHA5120f812cb81fe16862ed2724466aa0ca306865c82eeda2e0eb6f10e0ba05f32698e6767e34b222c36741644ed70f18730c7a0e68e3fe42e22c4fc3f2b2ecef4bf9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51943902473a3b882e48f29e6b1c30546
SHA1f01f073d3c007c1f7dd7aaa912b8f07425becde5
SHA256005ad0a3910a49ef610bfe1100e5f7f6b2e7b5a960c02a9c7ae5853536d9917b
SHA5120c3bfa535be0bde67bad176e9be64735f725e93fedc4bb1c16aaaea52ee382e7f5e742c3eb9c9600602c64e9647af3768fac74ca1deb00c79bc1fe71e544db86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59de7ce2fc209e130a3f76004d5995318
SHA192b79846d697e43fe0059eeb8f4a4d5fe2a0a1d1
SHA2565d45b07219048916ed116b4a24da756976bb15ea58ac6f21eb20d228cafd385d
SHA51246cccb369ec3c17083f7cb509ac05208cfe44cc396e955a431b5481f2a58717260824dbbad774354a5dc3c32cd9e2b1c03acac4d8e65ce38ac9672fb6a0d171e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a9ebc730d6a66a8f3e615dd1cb2ce473
SHA18fdcfe503383f81c21f22793c42c13bb7d0b32bf
SHA2561abf1297f3f0f3af1233e349534b57e915207af527854b77f6af8e3618bf784f
SHA512e0c1ea720bb5e0a2e52bb727aa99075cbea01c7f2446ee47cbb896ca6a8a1c8bda89d2d18afb2d6de352262024ef8bc6562aee8cab53dec933f3a8a6092f23f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b9004441f2bb520c03bbcda4ffe958d5
SHA1607db60d71518a3dda7b1c495ee04648013edd16
SHA256761348c91c75e5babe96d26c9344fec06afbc2069e7457ea1f4cb6aca10d1c6a
SHA512bc6b379d7e10071653315e81b80d3be6ceb7276e6548510e87ecf172ef3f60bd4b7992a2409e5dcdfa478a1ea8c0b522f1a5af08e2abf1697e94e2527ce14df9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD537c9b7a461879a23971d8368fc52831f
SHA1cd3a197e062e8fdf1766ea6947b3ca518a16f5af
SHA2566888f5df0d997c8b7bd7e380e67329635dcdfa84547ee5b0230176c38ac4223e
SHA5123b45284c6a6561a701efebb70512962fdbd2d60c498faf213f379ba56c54397b086b7380b6da71fbc9c71c527db6c71a027cb5f2b66c837eaf59fcd348a18a54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5605a11a3c41c933509333e0df1e84082
SHA1ecbff21f565cb8b1d59e671d7e9b6c2a06701429
SHA256d9f93daa2d9b40d3642a1ccf083f5b2cc882444955d2629d9f0de41c2e6d5018
SHA512cf49739c8c460c881fe938dc24ea3bd982598c20184b002e6659b25a5db762191624da6fda56ba29398559e38efae55419017a59d6bd000e99dae1a004762199
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bf7b06cbafd91d2ff5e9aff97b90dd0e
SHA13412d7ca293917f3860f1a7e65520b66489a0fd1
SHA25686e1787a74664e4fa9a67e7f5e6b83e290b006193b0892f5ae7c74fb92ea874e
SHA512fc7891f90dc41d1eef48e81a10c2d848d8dd57e7e0833b5d1749277d5ae77a82892a94f6fc9d50dc34ab61f5917c0d22055890693877d2088b8809046ca75d89
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
151B
MD506958f9a52f43dab2037d787f901e5f1
SHA1543de07beecdce3b6bc4ab8b9a3a7c9c37a30c99
SHA2563d825857ca2448975484bcc6e3497b38c32251b06160fb10f9ad010ecc543aee
SHA51250021a6d0c8772fc8ed89aab18d00613eef835373bfe668d4d50a04a05e1eae1812ceb8d557a21b55854b32822af6e7d037410723d2bb3a5481d8e1bad054e85
-
Filesize
151B
MD506958f9a52f43dab2037d787f901e5f1
SHA1543de07beecdce3b6bc4ab8b9a3a7c9c37a30c99
SHA2563d825857ca2448975484bcc6e3497b38c32251b06160fb10f9ad010ecc543aee
SHA51250021a6d0c8772fc8ed89aab18d00613eef835373bfe668d4d50a04a05e1eae1812ceb8d557a21b55854b32822af6e7d037410723d2bb3a5481d8e1bad054e85
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998