Analysis
-
max time kernel
46s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2023 14:43
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe
-
Size
240KB
-
MD5
6ea06d3e97986c035c377223cefe0fb1
-
SHA1
6ac00da44291aed5832338b2d1792567a7d12924
-
SHA256
76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33
-
SHA512
0ec26d1f07968dcfdb810c0e29d5f9f9af1c4cf3c768dbb3d91a080d17605a5d05d25423978eb891dcfe2fc938af02eef2ed1489c7c8f7799af02875fbee451b
-
SSDEEP
3072:LxBU2lzBjWBuBz10fW2VEiJ9hvC+1Qd26d8kGrf3IT5bAtSDoqRu:PU2NBSBuBzyvrvP1Q4E8kYY5AtSDP
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.pthh
-
offline_id
43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
146.59.161.13:39199
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Signatures
-
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/5064-21-0x0000000004A10000-0x0000000004B2B000-memory.dmp family_djvu behavioral2/memory/952-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/952-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/952-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/952-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/952-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-48-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 14 IoCs
resource yara_rule behavioral2/memory/3108-98-0x0000000005120000-0x0000000005A0B000-memory.dmp family_glupteba behavioral2/memory/3108-99-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3108-143-0x0000000005120000-0x0000000005A0B000-memory.dmp family_glupteba behavioral2/memory/3108-148-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3108-204-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3108-214-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3648-275-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3648-325-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/472-384-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/472-419-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/472-427-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/472-429-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/472-432-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/472-434-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/420-53-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/5020-251-0x0000000000530000-0x000000000058A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1304 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 530D.exe -
Executes dropped EXE 7 IoCs
pid Process 5064 530D.exe 952 530D.exe 4124 530D.exe 1132 6686.exe 5040 6917.exe 1956 530D.exe 372 706B.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1368 icacls.exe -
resource yara_rule behavioral2/files/0x0007000000023264-422.dat upx behavioral2/files/0x0007000000023264-423.dat upx behavioral2/files/0x0007000000023264-425.dat upx behavioral2/memory/1664-426-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3808-428-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3808-433-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9e454c0-9b15-4e4a-9342-e39613f88b2f\\530D.exe\" --AutoStart" 530D.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 68 api.2ip.ua 69 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5064 set thread context of 952 5064 530D.exe 93 PID 4124 set thread context of 1956 4124 530D.exe 100 PID 5040 set thread context of 420 5040 6917.exe 105 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2684 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3808 1956 WerFault.exe 100 888 5040 WerFault.exe 98 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4408 schtasks.exe 1540 schtasks.exe 548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 692 NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe 692 NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 692 NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 3140 Process not Found Token: SeCreatePagefilePrivilege 3140 Process not Found Token: SeShutdownPrivilege 3140 Process not Found Token: SeCreatePagefilePrivilege 3140 Process not Found Token: SeShutdownPrivilege 3140 Process not Found Token: SeCreatePagefilePrivilege 3140 Process not Found Token: SeShutdownPrivilege 3140 Process not Found Token: SeCreatePagefilePrivilege 3140 Process not Found Token: SeShutdownPrivilege 3140 Process not Found Token: SeCreatePagefilePrivilege 3140 Process not Found Token: SeShutdownPrivilege 3140 Process not Found Token: SeCreatePagefilePrivilege 3140 Process not Found Token: SeShutdownPrivilege 3140 Process not Found Token: SeCreatePagefilePrivilege 3140 Process not Found Token: SeShutdownPrivilege 3140 Process not Found Token: SeCreatePagefilePrivilege 3140 Process not Found -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3140 wrote to memory of 5064 3140 Process not Found 92 PID 3140 wrote to memory of 5064 3140 Process not Found 92 PID 3140 wrote to memory of 5064 3140 Process not Found 92 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 5064 wrote to memory of 952 5064 530D.exe 93 PID 952 wrote to memory of 1368 952 530D.exe 94 PID 952 wrote to memory of 1368 952 530D.exe 94 PID 952 wrote to memory of 1368 952 530D.exe 94 PID 952 wrote to memory of 4124 952 530D.exe 95 PID 952 wrote to memory of 4124 952 530D.exe 95 PID 952 wrote to memory of 4124 952 530D.exe 95 PID 3140 wrote to memory of 1132 3140 Process not Found 97 PID 3140 wrote to memory of 1132 3140 Process not Found 97 PID 3140 wrote to memory of 5040 3140 Process not Found 98 PID 3140 wrote to memory of 5040 3140 Process not Found 98 PID 3140 wrote to memory of 5040 3140 Process not Found 98 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 4124 wrote to memory of 1956 4124 530D.exe 100 PID 5040 wrote to memory of 3864 5040 6917.exe 104 PID 5040 wrote to memory of 3864 5040 6917.exe 104 PID 5040 wrote to memory of 3864 5040 6917.exe 104 PID 5040 wrote to memory of 420 5040 6917.exe 105 PID 5040 wrote to memory of 420 5040 6917.exe 105 PID 5040 wrote to memory of 420 5040 6917.exe 105 PID 5040 wrote to memory of 420 5040 6917.exe 105 PID 5040 wrote to memory of 420 5040 6917.exe 105 PID 5040 wrote to memory of 420 5040 6917.exe 105 PID 5040 wrote to memory of 420 5040 6917.exe 105 PID 5040 wrote to memory of 420 5040 6917.exe 105 PID 3140 wrote to memory of 372 3140 Process not Found 108 PID 3140 wrote to memory of 372 3140 Process not Found 108 PID 3140 wrote to memory of 372 3140 Process not Found 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.76ab9dacb5fbbce3d4021b4d46622d96d0599af96440989a61c8fe555a3cac33exe_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:692
-
C:\Users\Admin\AppData\Local\Temp\530D.exeC:\Users\Admin\AppData\Local\Temp\530D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\530D.exeC:\Users\Admin\AppData\Local\Temp\530D.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c9e454c0-9b15-4e4a-9342-e39613f88b2f" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\530D.exe"C:\Users\Admin\AppData\Local\Temp\530D.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\530D.exe"C:\Users\Admin\AppData\Local\Temp\530D.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 5685⤵
- Program crash
PID:3808
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6686.exeC:\Users\Admin\AppData\Local\Temp\6686.exe1⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\6917.exeC:\Users\Admin\AppData\Local\Temp\6917.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 2642⤵
- Program crash
PID:888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 19561⤵PID:2728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5040 -ip 50401⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\706B.exeC:\Users\Admin\AppData\Local\Temp\706B.exe1⤵
- Executes dropped EXE
PID:372 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"2⤵PID:384
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F3⤵
- Creates scheduled task(s)
PID:4408
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit3⤵PID:3608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4180
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"4⤵PID:3648
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E4⤵PID:1360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"4⤵PID:4140
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E4⤵PID:3360
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\737A.exeC:\Users\Admin\AppData\Local\Temp\737A.exe1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\7995.exeC:\Users\Admin\AppData\Local\Temp\7995.exe1⤵PID:3108
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\7995.exe"C:\Users\Admin\AppData\Local\Temp\7995.exe"2⤵PID:3648
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:2264
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1304
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2076
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:4668
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:472
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4568
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1540
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2736
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:3520
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:548
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:1664
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:1600
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2684
-
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7C65.dll1⤵PID:3900
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\7C65.dll2⤵PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\8C44.exeC:\Users\Admin\AppData\Local\Temp\8C44.exe1⤵PID:100
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1072
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵PID:180
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵PID:900
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
8.9MB
MD522b5ba8e29ad46aea74520369763650a
SHA15477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA51238cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
7.5MB
MD5ef5c1e67c5a2aea56c8afb7146bd7978
SHA15679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA51229ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6
-
Filesize
7.5MB
MD5ef5c1e67c5a2aea56c8afb7146bd7978
SHA15679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA51229ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5825c7e7297b07914a19edd729637c434
SHA1fb332ced75a6624226b35c47000d87f44d32f79c
SHA2560f60fb9a5cbe909bc8116d6801974b1fd7a4dd10e2cef756e76bd90a6d89d897
SHA5123305676440f77ce1eed497555a00fee2354e3f6824305534a4c1dc2971dcb979bdbf037b1afed1f5556d37c08f1d3ff8653fb5a9f9822e924107b24aa8febeda
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56d4699dc3b852e45a339ae646456e1e0
SHA10797b24d9f2e1f96b37166c3f263d2b333ce3b11
SHA256df2a8458095435298bd6124b6970a6562cedad537550d68461f4a6e3cdf28cb2
SHA512fd995a8963573dcf22e4364610c1d50855a942902eca743bd1e6106d5ceb965a7a527701d8634888eaa176919c86718c9488ad287492bac818baeda05400a46d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD598be748b4348edf41aba8282165f0963
SHA15a535bc146b889bd9585526ebc2ad054e5546e60
SHA256b3368b95c55c0e48ef20f81bf516456b48b9bd0a7d7b74b6a0a4343e303ec19f
SHA51246cb7dcf9b07fff06d4d878380e466959e17efd4ac98e571028e73f14179cb2bff3d45a7544ef216542f849b47c7596190b979f054ce8a8d6f1651c5abc59a1f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56d6fe69a7d5e753c9cf892149e71711e
SHA110b1895601536d09ff7b39bf0458d880d208ee29
SHA2567762344ac6e5bfa8b9875836688903015d5a825f8bd58b38fcdf1c6cbdab93cd
SHA512b29cebc4c16de2e393e8f180fae4db17c3a266295167ba59a0acd05c9ba3f09e75b2aff3ba5cbc4f17166819eb6c48619790889812ad1a45a9992eb86a458614
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD597bbfe83354de76be2bd85117d8f29d7
SHA1de7992398d59382e46b05fed2655e17e913e3f13
SHA2569e8e82ca165746157fb2d1776ac2e180df382a2dff15a3f2cfba624fda1abf0f
SHA512e55ebb063640723671fbaa4fcb1d384d73b14c6565664105278b2aaf71ed3e4f67dac8856ebfd608198da44a46c4ee209006f81393f826d33bbea0ef80871144
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec