Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03-10-2023 14:32
Static task
static1
Behavioral task
behavioral1
Sample
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe
-
Size
896KB
-
MD5
e478fc4b0c1091347240550446e2f7a2
-
SHA1
2c46e2b777dc7a29c17deaee98534069efa91586
-
SHA256
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
-
SHA512
6476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
SSDEEP
12288:GmVjOxbWKVGu27Wm4XfbzsqPhxRAUwQ7xjAkZNPrApR60mR4IQfei08hTrC+iQas:GmVja2iPhhXZq60zD1himaDQ
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2488-26-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2488-28-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2488-31-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exe6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2644 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2696 cmd.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2644 set thread context of 2488 2644 svchost.exe regtlibv12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2636 timeout.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402505511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000007cf9a0c367997d00d02efa563acf52037fde260bf226b978079d292791240acf000000000e80000000020000200000007263c58ec91f62b0d5a99a772be4d80d8f93504e2922f3cf3a06e9f996ed804c20000000b9c8232863bedecb7ebb882f3c169a4037d065946b04104017951f0ccfd96b0940000000f01f6ec444f3425aba4d0aaaa44984ff5b89a1fa9ea27999fff4cd6da3afa28471c390e9ee2c081c17a93e41ad5aca25c60187fd2526a3e94efab9d6b6071720 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000009c681906a088695a1ba5a104e505113079b34eb411aab2b5c455ad36e6055eb0000000000e8000000002000020000000e29f2f409c71c2935e0252675fe11826a705adbad6a319f38d1c30b780cb18dc90000000e5d2df72c6404c1dd52e7a78d9884ef5659c839ea67843a8b87d9aa08a4ac6ecdaaea1cac2ba7cef89de7b76cc88ebbbe46cc99164018e08716769a8dbe77e4141a8b0dff98ae41b8c80e0f1ebe198ac1fac2d4c327fa1b46305bd174f8d411db295db1ee93fb2824de3251a2b287799699f1ffd0247f54c777581aecfbd97811a4da21a2838fedfe6edcae4500d80ab40000000570d1075333d332b8073a57ea27823f4bd69d8205fc550fcbd842500830bf4ec7f87b905149d98c05424c7fc703a12ec481cd4a8db0b9e2d13737f1a75425e15 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E60BBD01-61F9-11EE-A0E4-CE1068F0F1D9} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c027f7c006f6d901 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exepowershell.exepid process 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe 2580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe Token: SeDebugPrivilege 2644 svchost.exe Token: SeDebugPrivilege 2580 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1800 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1800 iexplore.exe 1800 iexplore.exe 1964 IEXPLORE.EXE 1964 IEXPLORE.EXE 1964 IEXPLORE.EXE 1964 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.execmd.execmd.exesvchost.exeregtlibv12.exeiexplore.exedescription pid process target process PID 1732 wrote to memory of 2920 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe cmd.exe PID 1732 wrote to memory of 2920 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe cmd.exe PID 1732 wrote to memory of 2920 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe cmd.exe PID 1732 wrote to memory of 2920 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe cmd.exe PID 2920 wrote to memory of 2592 2920 cmd.exe schtasks.exe PID 2920 wrote to memory of 2592 2920 cmd.exe schtasks.exe PID 2920 wrote to memory of 2592 2920 cmd.exe schtasks.exe PID 2920 wrote to memory of 2592 2920 cmd.exe schtasks.exe PID 1732 wrote to memory of 2696 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe cmd.exe PID 1732 wrote to memory of 2696 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe cmd.exe PID 1732 wrote to memory of 2696 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe cmd.exe PID 1732 wrote to memory of 2696 1732 6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe cmd.exe PID 2696 wrote to memory of 2636 2696 cmd.exe timeout.exe PID 2696 wrote to memory of 2636 2696 cmd.exe timeout.exe PID 2696 wrote to memory of 2636 2696 cmd.exe timeout.exe PID 2696 wrote to memory of 2636 2696 cmd.exe timeout.exe PID 2696 wrote to memory of 2644 2696 cmd.exe svchost.exe PID 2696 wrote to memory of 2644 2696 cmd.exe svchost.exe PID 2696 wrote to memory of 2644 2696 cmd.exe svchost.exe PID 2696 wrote to memory of 2644 2696 cmd.exe svchost.exe PID 2644 wrote to memory of 2580 2644 svchost.exe powershell.exe PID 2644 wrote to memory of 2580 2644 svchost.exe powershell.exe PID 2644 wrote to memory of 2580 2644 svchost.exe powershell.exe PID 2644 wrote to memory of 2580 2644 svchost.exe powershell.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2644 wrote to memory of 2488 2644 svchost.exe regtlibv12.exe PID 2488 wrote to memory of 1800 2488 regtlibv12.exe iexplore.exe PID 2488 wrote to memory of 1800 2488 regtlibv12.exe iexplore.exe PID 2488 wrote to memory of 1800 2488 regtlibv12.exe iexplore.exe PID 2488 wrote to memory of 1800 2488 regtlibv12.exe iexplore.exe PID 1800 wrote to memory of 1964 1800 iexplore.exe IEXPLORE.EXE PID 1800 wrote to memory of 1964 1800 iexplore.exe IEXPLORE.EXE PID 1800 wrote to memory of 1964 1800 iexplore.exe IEXPLORE.EXE PID 1800 wrote to memory of 1964 1800 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe"C:\Users\Admin\AppData\Local\Temp\6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2592 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9222.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2636 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=regtlibv12.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD503c0594d3104fd5ad6603b578619080b
SHA1bed72fd24f33fd11ded51e74d47612fd296593de
SHA256dfd0778a6fa7475a654ee049e9d0606946ea990d5bd2cb73c28185f2690d56a2
SHA5121baedae760bda3afbd970720b76b5276cf9c72dbd940df3a00e96feb13bff755affeb3c25ae7f46169eced164c9796893c882c33bce1798d56eb1a4351946441
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5edff9d4a6c63478c83ec05e62a245f83
SHA10857ca41e206eb458df24c5fad2b4ed955b100cf
SHA256ba0d259a3b06b4a8f8d1440e12c1e50ea6a72a2556dbb7035bb046a62c5f954c
SHA51245ae66d4bfec30e82c1c95d2beee15cbc5578e8402da4d99aab18b0e3600112d207b6670cc315453165756e8bef7c3302e69f80a4a775a436913028e8cf426a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58fe9c2b5c76f53d7a2ca9e062a7bdd24
SHA1e4fad9c9d74a55f4fb02be669f4b26c7aac20542
SHA2567d64daf5565969f5489254adfd9a3c260082c4b4a9c8c7136543ad856b265bd6
SHA512365c4c844c8f234a092df99a72f985635401576b6f72b1e2f56166a25cafc100d7cb7d7991c2ba7d314664e892b6265fc423354e7be160e20d47ad7926911f05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bae0513c0400a8f59bb6cc633811f8e8
SHA104be231a07f7709622ffd59f028176d1b31fc142
SHA2567c249aa7e73dfa84b6b00d1548a02a0df5e6dc531f36d8b73b0cf0106cbc1706
SHA512668118e1ab7f6b275bdaf294d8499afffb31a257452b11a2d4ec84099f9d31fa2364dc46ed8fac7a10d90342bf957d9812c7dccd646ee1712cf15511f748cebd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD582ced04ab00a1f9622db2ef9dc2b75d5
SHA167d51f7b8d290892201cd9a3bc0ba0c587f95c68
SHA2562a4b46f24cb6af21bfa6277607be0a18dd33b3a19af8e68b7924287c38527093
SHA51219d987d74eeeb9bf3bbb3bf085ca346c005e3c139ed157ef0ce9c5c2f8c40d3cc34a5da8fb322f406160f4229523113dc1ae916eb285fcfdbd1ccd8d2c197e24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5877a0dc8d9bb43da207b828ca35ac35c
SHA1691609900183d99ac59b715fdf57d0e4e3ccceb6
SHA256277b43b6608b06c17d59597413297cefe26c9108f7a3f505eb83d8ba1158aa30
SHA5124b102fd5d44424c1e61e66245f18c751622e39bbbdeac343dbba0e18bdcc77f4eb45f1fb12a28197fef77456da17e2fc7e0993537e9cc40f85e547e702a94e59
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD580c8acfee92ecfe3be1b6122ab786159
SHA12a4585174cdb0e0a8daf04dd7be1e5e3d3e59e31
SHA256e6e2a62509d3299f63fdc5a2072b6d51a2b6357706c275b480c83bc7b609f7df
SHA512b751d4ea50cf6f6a94ac6c28277ff4d23a24dc7e40f10cf9355bf54c97cfdbe2deeef09bb1bceacce64d62e8c9bde4e6b264139a6a397f1f2671750630a94b4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e2f3255d4a2fa7f131798454a2f1a6ab
SHA1b86c07f1a774284790a66a2b8c46a011fa8361ee
SHA2562f52b6ee00d98eb053866846eb08ad4fd620c99039093f6c1e1f9a2ae2fe9579
SHA5124219c3eed6f9127cd08938ffed7f84bab65be9c3263c8c083cd098540ecf80957884d1cff3721cfa2cf4a836f8d78da88df441fdb13541fde8ddb8bbb9b1b07d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50709fee1c866e423616130a7f6fa6016
SHA1ef4372fbcb4bef528bd936baffb8cd194610f968
SHA256867c05650ae80be767e14162977cdba7f7fce3b2352fb5d095c63734cba2ef40
SHA512885b80e266959d8ecb57b1b54bf4073ccf7a837cfd42cfbcf70340b2ee8288b08ee7462d07ee5dfb11ba417a8026e79e2155c29213dcba5323edf880360029d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ce75c422e9dec7889a985a23a1c6db24
SHA1840d0c301d0af286812fcd6fd591d2906c186b48
SHA2561c6c4ec9761ea23a434be9d51567142a2171f53d18ed306bcfd385aaaca91764
SHA512f23b85146597d4765bf9af4f8e1c40c868bf6316a299913a61f65f788ed8922628c742a413cbec8eb1e6d4c6184f54272722df9cbcb4e01ede44dae85fbcc49a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c04d657ada036c0933d5d5efa5fb2796
SHA19054bd755de9c884b19f55734d28ccecab5baded
SHA256f6bd0a4556b36a7d813495b56bb47d6eab0cb9c23334996934832fcc954d06be
SHA51253584e017e4070884b23e2dcf4efe69837966d16e8869450f2fe7f84a9bec395809008baeff6692bc7511b8c396e161c5c958aebec9c4195c7d69beb2e1791aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD548ef492f6ee03fce0bcc0b6e2ec4742c
SHA1e683ab4750f1aa2f1b94d503ebeca11709cd7223
SHA256b83aad636dc52f0205da1a62f50be3540605e75e7d444e0b0491be1e25492bef
SHA5123c58898f97e7ee1a28b03e17fb5eb36e065c9c4acbae2762f107b5a10091c142af1e339bdcd28bf6e2dbf05c6187670d0d4c7ec2d33ee680c27b9085a0d01ec9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54083e3cc7db48554bf9ab79bb8175bbc
SHA1ab82c1354df082516980ba4a941e6cbac34d1a5d
SHA256cc7ef1c3bcb86fa805422b356b3b365070fb9d8edc37313db55a0b9f08b1ce87
SHA5127134467ecd32f059bd98c0bd76d0a234b4e33760c9eaa323d801516a35c9a988af76b419b31debc74e21dd1ac34c5716e48b072c68914c93ce5ddc6e7c244b00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56dd7997240bd81b4a7c52af15f137de5
SHA1cf07c23180449f6e83c48d9e06e4d057e2224d13
SHA25640ce36549bf459af3721d38949d87ef3c7fc1a87d948b07604b2a94469be2204
SHA512674a235d26e76dd82a625d203243f6e157bf599f8ffcbff589b156b27fe56d47fe2e5d7a31162d0a064996e737592da4aa8ae1324681fffe7cf05537d86feaed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54364775f773e45ecf58ae95a03cdf20c
SHA188dd8dc24159462297963a30b6756aab32781fe3
SHA256ced243eae93c2e68c9ef216caef78635ed08512e4e76f9a5c79b048c6bf7e147
SHA5121a77fc5d804702aa30c3349bf9ffadab8ac6507649ad6f36051f3ea592ed6b3ebca49397d022a936b6447adcd5cdaa260948ac0c4514fac58ae070a2d7dd5402
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51a0f0d8e34139296964f59ed96b2ba57
SHA11f91901bcba77db8ee577bebd16a0dff48f0b67e
SHA256c2d37acc730cc0a4708d42c852d332ad309f9810a7d47cbb1d2cb60b1e7d4154
SHA512b8da60322a815fe4676c7e5c8a5f806349ed37ba550e45cad472fa635fad3743a0854a72a10ce8d4a5d331ec3fa35c5bdc42a0c486962c3a961a2946491c12c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ece9ed432db8b8bcaba436e581f2dbc8
SHA1c20e020319379466fa759609b903017c5aa6384f
SHA25677a29a5b34af310320f259cf33723e6e69620c4d2f1a825e1f8cd4346695e2ce
SHA51219e77af90bdaec2e44cd05b82f2644728107a280fe7112028f75244f81a54608c8f6dbef9646eb076a25110ae1c857a869ef928226568296a8d60d368e4d1160
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5666bb4d0f51c1ee09bbf35cba1d4e46d
SHA19d397829f333a4324c48c46c0be0a128394dd701
SHA25655ac35a5d579d9019d8827191dec3c0d7d9736dcbdb5fd71d2d87461f17e3504
SHA512ae40e7c28061e17ee66967ca4f2a4b432241e3b1084f86b38cefa1b88534c8e51bdfc380f630eed46f1165a95cd72b32a6a45ddbde000b2ace2fd9ea04ef22dc
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
151B
MD57e69d477101f4cc9323dd8b9dda440b0
SHA14da6be6bec26f506b29299dcd890bf6d57169f6e
SHA2565a649879217e2b0e6212c3c3a74d366de19de2e43836e5f8c3696fb7d4e82140
SHA512d43cb2151b1562be91871d1f4308e9fdd95762f7b4f31179a9afd1286cb640ff17905b8ae9897a4514fb62abedd0efe596231bdb902eccb6f0415b211857c120
-
Filesize
151B
MD57e69d477101f4cc9323dd8b9dda440b0
SHA14da6be6bec26f506b29299dcd890bf6d57169f6e
SHA2565a649879217e2b0e6212c3c3a74d366de19de2e43836e5f8c3696fb7d4e82140
SHA512d43cb2151b1562be91871d1f4308e9fdd95762f7b4f31179a9afd1286cb640ff17905b8ae9897a4514fb62abedd0efe596231bdb902eccb6f0415b211857c120
-
Filesize
896KB
MD5e478fc4b0c1091347240550446e2f7a2
SHA12c46e2b777dc7a29c17deaee98534069efa91586
SHA2566e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
SHA5126476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
Filesize
896KB
MD5e478fc4b0c1091347240550446e2f7a2
SHA12c46e2b777dc7a29c17deaee98534069efa91586
SHA2566e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
SHA5126476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
Filesize
896KB
MD5e478fc4b0c1091347240550446e2f7a2
SHA12c46e2b777dc7a29c17deaee98534069efa91586
SHA2566e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
SHA5126476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3