Analysis
-
max time kernel
139s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2023 14:30
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe
-
Size
240KB
-
MD5
ea67ea7b5fdbd80c69d9ab73ecb17c55
-
SHA1
0e12ea15b50e9938d4612ecf2bced153323fb617
-
SHA256
467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48d
-
SHA512
001ce2118435e3241941d4737d6e18733d0c9b18f7dc26bcb1abed8d6697e2306193e74a7ac396ec908c854db520c285b4201a070c863cf3d54b7f01fb585190
-
SSDEEP
3072:Azhq34Ie3E/Tihf5C1kI/wAem3Sx4IVzdtE8LZ5jKtGJvxc:cw4E/Tu5WkK1NCx4qdt1zKt6
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.pthh
-
offline_id
43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
146.59.161.13:39199
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Signatures
-
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/4712-21-0x00000000049F0000-0x0000000004B0B000-memory.dmp family_djvu behavioral2/memory/3948-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3948-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3948-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3948-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3948-65-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4332-76-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4332-78-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4332-81-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/2448-41-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/4128-121-0x0000000000FB0000-0x000000000100A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/files/0x000a000000023204-136.dat net_reactor behavioral2/files/0x000a000000023204-135.dat net_reactor behavioral2/memory/1768-143-0x0000000000CD0000-0x0000000000E76000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation F943.exe Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation yiueea.exe Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation E2AA.exe -
Executes dropped EXE 14 IoCs
pid Process 4712 E2AA.exe 3948 E2AA.exe 1152 F326.exe 4068 F588.exe 972 F943.exe 376 yiueea.exe 3124 FDE7.exe 1164 E2AA.exe 4332 E2AA.exe 3452 3A09.exe 1768 3C8A.exe 4292 yiueea.exe 2224 rghcgts 2584 E2AA.exe -
Loads dropped DLL 2 IoCs
pid Process 4220 regsvr32.exe 2704 regsvr32.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5116 icacls.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b7cd7b55-8fe0-418e-92f3-c271329b6bf7\\E2AA.exe\" --AutoStart" E2AA.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 70 api.2ip.ua 71 api.2ip.ua -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4712 set thread context of 3948 4712 E2AA.exe 93 PID 4068 set thread context of 2448 4068 F588.exe 98 PID 1164 set thread context of 4332 1164 E2AA.exe 111 PID 1152 set thread context of 4128 1152 F326.exe 124 PID 1768 set thread context of 4528 1768 3C8A.exe 134 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4356 4068 WerFault.exe 95 1604 4332 WerFault.exe 111 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FDE7.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rghcgts Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rghcgts Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FDE7.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FDE7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rghcgts -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1604 NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe 1604 NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2572 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1604 NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe 3124 FDE7.exe 2572 Process not Found 2572 Process not Found 2572 Process not Found 2572 Process not Found -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeDebugPrivilege 1768 3C8A.exe Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeDebugPrivilege 3452 3A09.exe Token: SeDebugPrivilege 2448 AppLaunch.exe Token: SeDebugPrivilege 4128 jsc.exe Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found Token: SeDebugPrivilege 4528 InstallUtil.exe Token: SeShutdownPrivilege 2572 Process not Found Token: SeCreatePagefilePrivilege 2572 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2572 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2572 wrote to memory of 4712 2572 Process not Found 92 PID 2572 wrote to memory of 4712 2572 Process not Found 92 PID 2572 wrote to memory of 4712 2572 Process not Found 92 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 4712 wrote to memory of 3948 4712 E2AA.exe 93 PID 2572 wrote to memory of 1152 2572 Process not Found 94 PID 2572 wrote to memory of 1152 2572 Process not Found 94 PID 2572 wrote to memory of 4068 2572 Process not Found 95 PID 2572 wrote to memory of 4068 2572 Process not Found 95 PID 2572 wrote to memory of 4068 2572 Process not Found 95 PID 3948 wrote to memory of 5116 3948 E2AA.exe 97 PID 3948 wrote to memory of 5116 3948 E2AA.exe 97 PID 3948 wrote to memory of 5116 3948 E2AA.exe 97 PID 4068 wrote to memory of 2448 4068 F588.exe 98 PID 4068 wrote to memory of 2448 4068 F588.exe 98 PID 4068 wrote to memory of 2448 4068 F588.exe 98 PID 4068 wrote to memory of 2448 4068 F588.exe 98 PID 4068 wrote to memory of 2448 4068 F588.exe 98 PID 4068 wrote to memory of 2448 4068 F588.exe 98 PID 4068 wrote to memory of 2448 4068 F588.exe 98 PID 4068 wrote to memory of 2448 4068 F588.exe 98 PID 2572 wrote to memory of 972 2572 Process not Found 101 PID 2572 wrote to memory of 972 2572 Process not Found 101 PID 2572 wrote to memory of 972 2572 Process not Found 101 PID 3948 wrote to memory of 1164 3948 E2AA.exe 103 PID 3948 wrote to memory of 1164 3948 E2AA.exe 103 PID 3948 wrote to memory of 1164 3948 E2AA.exe 103 PID 972 wrote to memory of 376 972 F943.exe 105 PID 972 wrote to memory of 376 972 F943.exe 105 PID 972 wrote to memory of 376 972 F943.exe 105 PID 2572 wrote to memory of 3124 2572 Process not Found 106 PID 2572 wrote to memory of 3124 2572 Process not Found 106 PID 2572 wrote to memory of 3124 2572 Process not Found 106 PID 376 wrote to memory of 1756 376 yiueea.exe 107 PID 376 wrote to memory of 1756 376 yiueea.exe 107 PID 376 wrote to memory of 1756 376 yiueea.exe 107 PID 376 wrote to memory of 1876 376 yiueea.exe 109 PID 376 wrote to memory of 1876 376 yiueea.exe 109 PID 376 wrote to memory of 1876 376 yiueea.exe 109 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1164 wrote to memory of 4332 1164 E2AA.exe 111 PID 1876 wrote to memory of 3360 1876 cmd.exe 112 PID 1876 wrote to memory of 3360 1876 cmd.exe 112 PID 1876 wrote to memory of 3360 1876 cmd.exe 112 PID 1876 wrote to memory of 2236 1876 cmd.exe 113 PID 1876 wrote to memory of 2236 1876 cmd.exe 113 PID 1876 wrote to memory of 2236 1876 cmd.exe 113 PID 1876 wrote to memory of 372 1876 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1604
-
C:\Users\Admin\AppData\Local\Temp\E2AA.exeC:\Users\Admin\AppData\Local\Temp\E2AA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\E2AA.exeC:\Users\Admin\AppData\Local\Temp\E2AA.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b7cd7b55-8fe0-418e-92f3-c271329b6bf7" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\E2AA.exe"C:\Users\Admin\AppData\Local\Temp\E2AA.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\E2AA.exe"C:\Users\Admin\AppData\Local\Temp\E2AA.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 5685⤵
- Program crash
PID:1604
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F326.exeC:\Users\Admin\AppData\Local\Temp\F326.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Users\Admin\AppData\Local\Temp\F588.exeC:\Users\Admin\AppData\Local\Temp\F588.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1402⤵
- Program crash
PID:4356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4068 -ip 40681⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\F943.exeC:\Users\Admin\AppData\Local\Temp\F943.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F3⤵
- Creates scheduled task(s)
PID:1756
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3360
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"4⤵PID:2236
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E4⤵PID:372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4104
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"4⤵PID:2108
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E4⤵PID:3712
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FDE7.exeC:\Users\Admin\AppData\Local\Temp\FDE7.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4332 -ip 43321⤵PID:4300
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\32E3.dll1⤵PID:3492
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\32E3.dll2⤵
- Loads dropped DLL
PID:4220
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\34C8.dll1⤵PID:1028
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\34C8.dll2⤵
- Loads dropped DLL
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\3A09.exeC:\Users\Admin\AppData\Local\Temp\3A09.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵PID:1588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵PID:928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵PID:4272
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵PID:4704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\3C8A.exeC:\Users\Admin\AppData\Local\Temp\3C8A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4928
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:956
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4292
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:1908
-
C:\Users\Admin\AppData\Roaming\rghcgtsC:\Users\Admin\AppData\Roaming\rghcgts1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2224
-
C:\Users\Admin\AppData\Local\b7cd7b55-8fe0-418e-92f3-c271329b6bf7\E2AA.exeC:\Users\Admin\AppData\Local\b7cd7b55-8fe0-418e-92f3-c271329b6bf7\E2AA.exe --Task1⤵
- Executes dropped EXE
PID:2584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD555f1c499b31e58a29f6dacea7580fb69
SHA1c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA5129c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1
-
Filesize
2.3MB
MD555f1c499b31e58a29f6dacea7580fb69
SHA1c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA5129c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
5.2MB
MD5dae038ac3f891d31151fc16e68275604
SHA1af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA51209beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c
-
Filesize
5.2MB
MD5dae038ac3f891d31151fc16e68275604
SHA1af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA51209beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c
-
Filesize
1.7MB
MD589bf35a4cd2f8f08d894c51e761ff765
SHA162e4942d4f167c5ff3145e29c73b9b1a1c427885
SHA25686b45c17c8eda8587a7f8107ecc81c79b4367adeda46ea140f64326f19d659c6
SHA512107ce43b926eb4529a1293354d0b67099a395cf272679cda3127979244debb12241c96387ebc3b48d2f0b66cb4981d3601b5ca70c3a7b44c6a8791c4cd8c8147
-
Filesize
1.7MB
MD589bf35a4cd2f8f08d894c51e761ff765
SHA162e4942d4f167c5ff3145e29c73b9b1a1c427885
SHA25686b45c17c8eda8587a7f8107ecc81c79b4367adeda46ea140f64326f19d659c6
SHA512107ce43b926eb4529a1293354d0b67099a395cf272679cda3127979244debb12241c96387ebc3b48d2f0b66cb4981d3601b5ca70c3a7b44c6a8791c4cd8c8147
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
8.9MB
MD522b5ba8e29ad46aea74520369763650a
SHA15477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA51238cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a