Analysis
-
max time kernel
144s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2023 03:27
Static task
static1
Behavioral task
behavioral1
Sample
ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
Resource
win10v2004-20231020-en
General
-
Target
ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe
-
Size
2.5MB
-
MD5
7578811db1dc86e9298cad006320a938
-
SHA1
42e8584d1d13fdab51fb8f9d05335f4a52ff97ad
-
SHA256
ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619
-
SHA512
5263f7335bf8388f1b6c28c2e143c5c56e78c3cdd297dde943489ce909b6faf923d5603a898b1927301e1265ffff9f3a62b61cbdaeaa47d492e41bf36d78a11b
-
SSDEEP
49152:PJo/il+XOWqWhpXIoGtCGs7avcKgiQW0BepMk4Vm5o:PJbm1GL4Gs7McKgiQBepll
Malware Config
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe family_ammyyadmin -
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/4628-17-0x0000000003120000-0x0000000003520000-memory.dmp family_rhadamanthys behavioral1/memory/4628-18-0x0000000003120000-0x0000000003520000-memory.dmp family_rhadamanthys behavioral1/memory/4628-19-0x0000000003120000-0x0000000003520000-memory.dmp family_rhadamanthys behavioral1/memory/4628-20-0x0000000003120000-0x0000000003520000-memory.dmp family_rhadamanthys behavioral1/memory/4628-30-0x0000000003120000-0x0000000003520000-memory.dmp family_rhadamanthys behavioral1/memory/4628-32-0x0000000003120000-0x0000000003520000-memory.dmp family_rhadamanthys -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exedescription pid process target process PID 4628 created 3092 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4356 bcdedit.exe 2716 bcdedit.exe -
Renames multiple (321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 4484 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
G64izER5T.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation G64izER5T.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation svchost.exe -
Deletes itself 1 IoCs
Processes:
certreq.exepid process 232 certreq.exe -
Drops startup file 1 IoCs
Processes:
9333.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\9333.exe 9333.exe -
Executes dropped EXE 10 IoCs
Processes:
oEq.exe~1j%([6%P.exeG64izER5T.exeoEq.exeoEq.exe9333.exe9333.exe9333.exe9333.exesvchost.exepid process 1176 oEq.exe 2052 ~1j%([6%P.exe 2988 G64izER5T.exe 3848 oEq.exe 1244 oEq.exe 3880 9333.exe 1960 9333.exe 4492 9333.exe 2496 9333.exe 2960 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
G64izER5T.exerundll32.exepid process 2988 G64izER5T.exe 2988 G64izER5T.exe 3824 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9333.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9333 = "C:\\Users\\Admin\\AppData\\Local\\9333.exe" 9333.exe Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9333 = "C:\\Users\\Admin\\AppData\\Local\\9333.exe" 9333.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
9333.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 9333.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1873812795-1433807462-1429862679-1000\desktop.ini 9333.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1873812795-1433807462-1429862679-1000\desktop.ini 9333.exe File opened for modification C:\Program Files\desktop.ini 9333.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeoEq.exe9333.exe9333.exedescription pid process target process PID 2020 set thread context of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 1176 set thread context of 1244 1176 oEq.exe oEq.exe PID 3880 set thread context of 1960 3880 9333.exe 9333.exe PID 4492 set thread context of 2496 4492 9333.exe 9333.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9333.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE 9333.exe File created C:\Program Files\Java\jdk-1.8\bin\javac.exe.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE 9333.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms 9333.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Windows.dll.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v8.1.dll 9333.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets 9333.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll 9333.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL 9333.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\NETWORK.ELM.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl 9333.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig 9333.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jli.dll 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\SignalRClient.dll.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\Resources.pri.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml 9333.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui 9333.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 9333.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png 9333.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms 9333.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms 9333.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll 9333.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll 9333.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml 9333.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.id[6438419B-3483].[[email protected]].8base 9333.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.id[6438419B-3483].[[email protected]].8base 9333.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml 9333.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4848 2988 WerFault.exe G64izER5T.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
oEq.exevds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI oEq.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI oEq.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI oEq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
G64izER5T.execertreq.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 G64izER5T.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString G64izER5T.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1956 timeout.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2920 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.execertreq.exeoEq.exeoEq.exeG64izER5T.exeExplorer.EXEpid process 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe 232 certreq.exe 232 certreq.exe 232 certreq.exe 232 certreq.exe 1176 oEq.exe 1176 oEq.exe 1244 oEq.exe 1244 oEq.exe 2988 G64izER5T.exe 2988 G64izER5T.exe 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3092 Explorer.EXE -
Suspicious behavior: MapViewOfSection 33 IoCs
Processes:
oEq.exeExplorer.EXEexplorer.exepid process 1244 oEq.exe 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 3092 Explorer.EXE 4000 explorer.exe 4000 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeoEq.exeExplorer.EXE9333.exe9333.exe9333.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe Token: SeDebugPrivilege 1176 oEq.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeDebugPrivilege 3880 9333.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeDebugPrivilege 4492 9333.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeDebugPrivilege 1960 9333.exe Token: SeBackupPrivilege 2348 vssvc.exe Token: SeRestorePrivilege 2348 vssvc.exe Token: SeAuditPrivilege 2348 vssvc.exe Token: SeIncreaseQuotaPrivilege 4400 WMIC.exe Token: SeSecurityPrivilege 4400 WMIC.exe Token: SeTakeOwnershipPrivilege 4400 WMIC.exe Token: SeLoadDriverPrivilege 4400 WMIC.exe Token: SeSystemProfilePrivilege 4400 WMIC.exe Token: SeSystemtimePrivilege 4400 WMIC.exe Token: SeProfSingleProcessPrivilege 4400 WMIC.exe Token: SeIncBasePriorityPrivilege 4400 WMIC.exe Token: SeCreatePagefilePrivilege 4400 WMIC.exe Token: SeBackupPrivilege 4400 WMIC.exe Token: SeRestorePrivilege 4400 WMIC.exe Token: SeShutdownPrivilege 4400 WMIC.exe Token: SeDebugPrivilege 4400 WMIC.exe Token: SeSystemEnvironmentPrivilege 4400 WMIC.exe Token: SeRemoteShutdownPrivilege 4400 WMIC.exe Token: SeUndockPrivilege 4400 WMIC.exe Token: SeManageVolumePrivilege 4400 WMIC.exe Token: 33 4400 WMIC.exe Token: 34 4400 WMIC.exe Token: 35 4400 WMIC.exe Token: 36 4400 WMIC.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeIncreaseQuotaPrivilege 4400 WMIC.exe Token: SeSecurityPrivilege 4400 WMIC.exe Token: SeTakeOwnershipPrivilege 4400 WMIC.exe Token: SeLoadDriverPrivilege 4400 WMIC.exe Token: SeSystemProfilePrivilege 4400 WMIC.exe Token: SeSystemtimePrivilege 4400 WMIC.exe Token: SeProfSingleProcessPrivilege 4400 WMIC.exe Token: SeIncBasePriorityPrivilege 4400 WMIC.exe Token: SeCreatePagefilePrivilege 4400 WMIC.exe Token: SeBackupPrivilege 4400 WMIC.exe Token: SeRestorePrivilege 4400 WMIC.exe Token: SeShutdownPrivilege 4400 WMIC.exe Token: SeDebugPrivilege 4400 WMIC.exe Token: SeSystemEnvironmentPrivilege 4400 WMIC.exe Token: SeRemoteShutdownPrivilege 4400 WMIC.exe Token: SeUndockPrivilege 4400 WMIC.exe Token: SeManageVolumePrivilege 4400 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
svchost.exepid process 2960 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeoEq.exeG64izER5T.execmd.exeExplorer.EXE9333.exe9333.exe9333.execmd.execmd.exedescription pid process target process PID 2020 wrote to memory of 2692 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 2692 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 2692 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 1300 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 1300 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 1300 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 2020 wrote to memory of 4628 2020 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe PID 4628 wrote to memory of 232 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe certreq.exe PID 4628 wrote to memory of 232 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe certreq.exe PID 4628 wrote to memory of 232 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe certreq.exe PID 4628 wrote to memory of 232 4628 ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe certreq.exe PID 1176 wrote to memory of 3848 1176 oEq.exe oEq.exe PID 1176 wrote to memory of 3848 1176 oEq.exe oEq.exe PID 1176 wrote to memory of 3848 1176 oEq.exe oEq.exe PID 1176 wrote to memory of 1244 1176 oEq.exe oEq.exe PID 1176 wrote to memory of 1244 1176 oEq.exe oEq.exe PID 1176 wrote to memory of 1244 1176 oEq.exe oEq.exe PID 1176 wrote to memory of 1244 1176 oEq.exe oEq.exe PID 1176 wrote to memory of 1244 1176 oEq.exe oEq.exe PID 1176 wrote to memory of 1244 1176 oEq.exe oEq.exe PID 2988 wrote to memory of 4220 2988 G64izER5T.exe cmd.exe PID 2988 wrote to memory of 4220 2988 G64izER5T.exe cmd.exe PID 2988 wrote to memory of 4220 2988 G64izER5T.exe cmd.exe PID 4220 wrote to memory of 1956 4220 cmd.exe timeout.exe PID 4220 wrote to memory of 1956 4220 cmd.exe timeout.exe PID 4220 wrote to memory of 1956 4220 cmd.exe timeout.exe PID 3092 wrote to memory of 3880 3092 Explorer.EXE 9333.exe PID 3092 wrote to memory of 3880 3092 Explorer.EXE 9333.exe PID 3092 wrote to memory of 3880 3092 Explorer.EXE 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 3880 wrote to memory of 1960 3880 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 4492 wrote to memory of 2496 4492 9333.exe 9333.exe PID 1960 wrote to memory of 4300 1960 9333.exe cmd.exe PID 1960 wrote to memory of 4300 1960 9333.exe cmd.exe PID 1960 wrote to memory of 4380 1960 9333.exe cmd.exe PID 1960 wrote to memory of 4380 1960 9333.exe cmd.exe PID 4380 wrote to memory of 4484 4380 cmd.exe netsh.exe PID 4380 wrote to memory of 4484 4380 cmd.exe wbadmin.exe PID 4300 wrote to memory of 2920 4300 cmd.exe vssadmin.exe PID 4300 wrote to memory of 2920 4300 cmd.exe vssadmin.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe"C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeC:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe3⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeC:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exeC:\Users\Admin\AppData\Local\Temp\ff17decde175542855e8ba56eb8058f180ef6f7696231bf7623906ffb264d619.exe3⤵PID:1300
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:232 -
C:\Users\Admin\AppData\Local\Temp\9333.exeC:\Users\Admin\AppData\Local\Temp\9333.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\9333.exeC:\Users\Admin\AppData\Local\Temp\9333.exe3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\9333.exe"C:\Users\Admin\AppData\Local\Temp\9333.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\9333.exeC:\Users\Admin\AppData\Local\Temp\9333.exe5⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2920 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:4356 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:2716 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:4484 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
PID:4484 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable5⤵
- Modifies Windows Firewall
PID:5040 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1332 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:5004
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4896
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:808
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4176
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1176
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2664
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4884
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3880
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3460
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:296
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:912
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2120
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:620
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Suspicious behavior: MapViewOfSection
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\4711.tmp\svchost.exe -debug3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:2960 -
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\4711.tmp\aa_nts.dll",run4⤵
- Loads dropped DLL
PID:3824
-
C:\Users\Admin\AppData\Local\Microsoft\oEq.exe"C:\Users\Admin\AppData\Local\Microsoft\oEq.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Microsoft\oEq.exeC:\Users\Admin\AppData\Local\Microsoft\oEq.exe2⤵
- Executes dropped EXE
PID:3848 -
C:\Users\Admin\AppData\Local\Microsoft\oEq.exeC:\Users\Admin\AppData\Local\Microsoft\oEq.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1244
-
C:\Users\Admin\AppData\Local\Microsoft\~1j%([6%P.exe"C:\Users\Admin\AppData\Local\Microsoft\~1j%([6%P.exe"1⤵
- Executes dropped EXE
PID:2052
-
C:\Users\Admin\AppData\Local\Microsoft\G64izER5T.exe"C:\Users\Admin\AppData\Local\Microsoft\G64izER5T.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\G64izER5T.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:1956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 24282⤵
- Program crash
PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2988 -ip 29881⤵PID:4276
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2780
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2824
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4900
-
C:\Users\Admin\AppData\Roaming\bjgedieC:\Users\Admin\AppData\Roaming\bjgedie1⤵PID:4868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Indicator Removal
3File Deletion
3Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[6438419B-3483].[[email protected]].8base
Filesize2.7MB
MD5e01fd98166ea3b557442b1be1db44667
SHA1a3905e07b0b8e32241afc1b77dbee7f2f6104f10
SHA25697eed8c172b3fcec3ffc48ec5a7eda26410c71a29492bda3c5db1e068a78455a
SHA512ac6bb72607724c9342755ff2e36e443f04875f667a1d84416326aa8fc2d035a628dbda9a5456362a8fbe4786ae275cba3e2aee7fa55b7e708723fb8973c0b1fe
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
2.6MB
MD5f4d64c9ae825a8b1e0db64c93d37eb2a
SHA103d03b2fcafc1fc36b960b6351e951fe40fb0c66
SHA256c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec
SHA5125bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1016B
MD54353288293ab8929e492327245a7ccb2
SHA189b365f2f5e14faaf17715e5764b60d344250d67
SHA25661954fc5184dd88a959f803ee98ca9af53eb0c942dbb00b98ba4f8a46081b587
SHA51248c07ca1b769cf02af6ec938aad8b5a03133e82a451bdff5a03bf4ba47cfd7add0ab28ee6622c22fb54e127472a7cf68dd7d05da15ec439cc18aed2ca76cd08a
-
Filesize
284KB
MD572415112539a03fe18a25f3924650d06
SHA1e371c4a85311200f061871455c9496e7ea1e552f
SHA2560890a21c1f335ae3c5c73f158659204204bc4ba403edbc34b37b856cfe1af8d7
SHA512281bb33bd0b84761fe5ed540885e4952b3c87929098463be4fda008a750efc428df3eb2b93f4c1339d8505abf3d2b2b5d1560163bc04beb78d203ec65f5bed16
-
Filesize
284KB
MD572415112539a03fe18a25f3924650d06
SHA1e371c4a85311200f061871455c9496e7ea1e552f
SHA2560890a21c1f335ae3c5c73f158659204204bc4ba403edbc34b37b856cfe1af8d7
SHA512281bb33bd0b84761fe5ed540885e4952b3c87929098463be4fda008a750efc428df3eb2b93f4c1339d8505abf3d2b2b5d1560163bc04beb78d203ec65f5bed16
-
Filesize
2.5MB
MD5a5e52d00a57904485aeb8e6580ce4666
SHA18f10588d8fcb6bb4d734c6e31fdaf2c165f87d92
SHA25613d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71
SHA512f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76
-
Filesize
2.5MB
MD5a5e52d00a57904485aeb8e6580ce4666
SHA18f10588d8fcb6bb4d734c6e31fdaf2c165f87d92
SHA25613d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71
SHA512f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76
-
Filesize
2.5MB
MD5a5e52d00a57904485aeb8e6580ce4666
SHA18f10588d8fcb6bb4d734c6e31fdaf2c165f87d92
SHA25613d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71
SHA512f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76
-
Filesize
2.5MB
MD5a5e52d00a57904485aeb8e6580ce4666
SHA18f10588d8fcb6bb4d734c6e31fdaf2c165f87d92
SHA25613d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71
SHA512f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76
-
Filesize
968KB
MD52a40a56b3dbe361864baac57a7815de4
SHA1a0b67c7eb5bb378010ada7a3cf6bfe4101df9049
SHA2563d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99
SHA5126c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2
-
Filesize
968KB
MD52a40a56b3dbe361864baac57a7815de4
SHA1a0b67c7eb5bb378010ada7a3cf6bfe4101df9049
SHA2563d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99
SHA5126c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
46B
MD53f05819f995b4dafa1b5d55ce8d1f411
SHA1404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA2567e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA51234abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
2.6MB
MD5f4d64c9ae825a8b1e0db64c93d37eb2a
SHA103d03b2fcafc1fc36b960b6351e951fe40fb0c66
SHA256c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec
SHA5125bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa
-
Filesize
2.6MB
MD5f4d64c9ae825a8b1e0db64c93d37eb2a
SHA103d03b2fcafc1fc36b960b6351e951fe40fb0c66
SHA256c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec
SHA5125bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa
-
Filesize
2.6MB
MD5f4d64c9ae825a8b1e0db64c93d37eb2a
SHA103d03b2fcafc1fc36b960b6351e951fe40fb0c66
SHA256c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec
SHA5125bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa
-
Filesize
2.6MB
MD5f4d64c9ae825a8b1e0db64c93d37eb2a
SHA103d03b2fcafc1fc36b960b6351e951fe40fb0c66
SHA256c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec
SHA5125bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa
-
Filesize
2.6MB
MD5f4d64c9ae825a8b1e0db64c93d37eb2a
SHA103d03b2fcafc1fc36b960b6351e951fe40fb0c66
SHA256c83894f6f01a0d4a492c2e05966816e27dac6b9093f83b499b6a5b2f28b53cec
SHA5125bc061c49628d4c72114366ef81b451f44f14d2ab8a8dedb9699d894156091dab2dca4f04f810651397876959139e8a28d6acba81da803b3e723c834d88749fa
-
Filesize
92KB
MD54bd8313fab1caf1004295d44aab77860
SHA10b84978fd191001c7cf461063ac63b243ffb7283
SHA256604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9
SHA512ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cookies.sqlite.id[6438419B-3483].[[email protected]].8base
Filesize96KB
MD5e81ca85dd3ea4824dba3bc6d7ffd24c4
SHA190179e23dc133ca5ab429a6dca791e74570a42bf
SHA2561e01065b6272f94d19cd1282cdad1e1d014dd62c79d2bd93662f0c01e9b88ecd
SHA51219e422044432da08329126445b5437a64b1e1f0ce98408d15f4701606b43c67821df0b2d850c18c0ed7eb4666ffda97beafd36b021f3abafa7edf1d1a97c5b2b
-
Filesize
2.3MB
MD5791147ed059d663af515fc859977cdeb
SHA16810607e9675118b73c4e9ad8f785fd320dee4de
SHA256568a0946df892f6460b40b03ceaaecfac76c953cf97e5c0a1eaa03b1bc950b6c
SHA5128ccf807e551e02a60753189d4aa21ff83b6ba0c943f65c1b66b5c5bab204fcbaf5e21864ad30638b86c88a5490c6fd3b403fdb793d6380a395c86f8074ce5aeb
-
Filesize
2.5MB
MD5373c5c9f13e29e5645bae98ac0b19244
SHA1c95981705d7ca8c8239e67343bbf5126c0b726ca
SHA256e5aab2aa82e052559739b7e1c9f15fde7a943d4acbaad7dfec89259726f8035e
SHA512d7f257476784fd9ed32ad49a2ca351225331da4b0269eee92cd7dc9d2e98f9390f3c2c34ccc9bee941d3bbf40d25de55f729d47ec8837f5cdb5b9f2c9ccac81b