Analysis
-
max time kernel
36s -
max time network
110s -
platform
windows10-1703_x64 -
resource
win10-20231129-en -
resource tags
arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system -
submitted
06/12/2023, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe
Resource
win10-20231129-en
General
-
Target
1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe
-
Size
267KB
-
MD5
9d6bbeb2166024ee13a73411aa51deb5
-
SHA1
ce56aa5a845527b6b9ac7ea45a4b91e1d88d352b
-
SHA256
1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4
-
SHA512
e341385b95b7452a6b74c3d01be6930dad369d40a23267fccda9c826d7d269aa06059433ec777b1b8843a83027c36920feddf6c12744a0f1ba071c3b9da6876f
-
SSDEEP
1536:M0rOuGhuP6DQbIv4fZGfuL+jJmwo5zLFl1XWnljgvFv+wlQRz2Abo/wgN+1HB/8+:M05QEbIv4B2uL+jJmL5+F7Vdb9r/+
Malware Config
Extracted
smokeloader
pu10
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.nbzi
-
offline_id
csCsb6cUvy0iMa6NgGCGH0hSfXQlGjZVEmFVkgt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8dGJ2tqlOd Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0832ASdw
Extracted
risepro
193.233.132.51
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1 23 IoCs
resource yara_rule behavioral1/memory/4128-101-0x0000022EC9F30000-0x0000022ECA014000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-108-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-119-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-127-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-125-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-129-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-123-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-121-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-135-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-141-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-147-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-149-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-153-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-151-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-145-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-143-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-139-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-137-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-133-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-131-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-117-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-105-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 behavioral1/memory/4128-106-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 15 IoCs
resource yara_rule behavioral1/memory/2368-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2368-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2368-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4756-52-0x0000000002620000-0x000000000273B000-memory.dmp family_djvu behavioral1/memory/2368-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2368-65-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-72-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-73-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-71-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-80-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-79-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-112-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-115-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-116-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3136-1820-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ B56.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B56.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B56.exe -
Executes dropped EXE 14 IoCs
pid Process 2520 B56.exe 4756 21CD.exe 2368 21CD.exe 224 21CD.exe 3136 21CD.exe 5008 2D57.exe 4128 2D57.exe 2508 345D.exe 4164 build2.exe 1544 bS4hi99.exe 3376 build2.exe 2848 bH4bi22.exe 4232 xC3Qm35.exe 4736 1Vt73Jx3.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3052 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000700000001a987-21.dat themida behavioral1/files/0x000700000001a987-20.dat themida behavioral1/memory/2520-32-0x0000000000F60000-0x0000000001A2A000-memory.dmp themida behavioral1/memory/2520-1524-0x0000000000F60000-0x0000000001A2A000-memory.dmp themida -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 1Vt73Jx3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a59624d6-f1c6-4f19-8770-fc9ec54a0899\\21CD.exe\" --AutoStart" 21CD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 345D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" bS4hi99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" bH4bi22.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" xC3Qm35.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B56.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 api.2ip.ua 37 api.2ip.ua 51 api.2ip.ua 65 ipinfo.io 66 ipinfo.io -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy 1Vt73Jx3.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 1Vt73Jx3.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 1Vt73Jx3.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 1Vt73Jx3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2520 B56.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4168 set thread context of 4136 4168 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 23 PID 4756 set thread context of 2368 4756 21CD.exe 83 PID 224 set thread context of 3136 224 21CD.exe 87 PID 5008 set thread context of 4128 5008 2D57.exe 102 PID 4164 set thread context of 3376 4164 build2.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4724 4136 WerFault.exe 23 2840 3376 WerFault.exe 92 1064 4736 WerFault.exe 97 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4452 schtasks.exe 168 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4136 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 4136 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4136 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeDebugPrivilege 5008 2D57.exe Token: SeDebugPrivilege 2520 B56.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3428 Process not Found 3428 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3428 Process not Found 3428 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4168 wrote to memory of 4136 4168 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 23 PID 4168 wrote to memory of 4136 4168 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 23 PID 4168 wrote to memory of 4136 4168 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 23 PID 4168 wrote to memory of 4136 4168 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 23 PID 4168 wrote to memory of 4136 4168 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 23 PID 4168 wrote to memory of 4136 4168 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe 23 PID 3428 wrote to memory of 2764 3428 Process not Found 79 PID 3428 wrote to memory of 2764 3428 Process not Found 79 PID 2764 wrote to memory of 3012 2764 cmd.exe 77 PID 2764 wrote to memory of 3012 2764 cmd.exe 77 PID 3428 wrote to memory of 2520 3428 Process not Found 80 PID 3428 wrote to memory of 2520 3428 Process not Found 80 PID 3428 wrote to memory of 2520 3428 Process not Found 80 PID 3428 wrote to memory of 4756 3428 Process not Found 82 PID 3428 wrote to memory of 4756 3428 Process not Found 82 PID 3428 wrote to memory of 4756 3428 Process not Found 82 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 4756 wrote to memory of 2368 4756 21CD.exe 83 PID 2368 wrote to memory of 3052 2368 21CD.exe 84 PID 2368 wrote to memory of 3052 2368 21CD.exe 84 PID 2368 wrote to memory of 3052 2368 21CD.exe 84 PID 2368 wrote to memory of 224 2368 21CD.exe 86 PID 2368 wrote to memory of 224 2368 21CD.exe 86 PID 2368 wrote to memory of 224 2368 21CD.exe 86 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 224 wrote to memory of 3136 224 21CD.exe 87 PID 3428 wrote to memory of 5008 3428 Process not Found 103 PID 3428 wrote to memory of 5008 3428 Process not Found 103 PID 5008 wrote to memory of 4128 5008 2D57.exe 102 PID 5008 wrote to memory of 4128 5008 2D57.exe 102 PID 5008 wrote to memory of 4128 5008 2D57.exe 102 PID 5008 wrote to memory of 4128 5008 2D57.exe 102 PID 5008 wrote to memory of 4128 5008 2D57.exe 102 PID 5008 wrote to memory of 4128 5008 2D57.exe 102 PID 3428 wrote to memory of 2508 3428 Process not Found 89 PID 3428 wrote to memory of 2508 3428 Process not Found 89 PID 3428 wrote to memory of 2508 3428 Process not Found 89 PID 3136 wrote to memory of 4164 3136 21CD.exe 90 PID 3136 wrote to memory of 4164 3136 21CD.exe 90 PID 3136 wrote to memory of 4164 3136 21CD.exe 90 PID 2508 wrote to memory of 1544 2508 345D.exe 91 PID 2508 wrote to memory of 1544 2508 345D.exe 91 PID 2508 wrote to memory of 1544 2508 345D.exe 91 PID 4164 wrote to memory of 3376 4164 build2.exe 92 PID 4164 wrote to memory of 3376 4164 build2.exe 92 PID 4164 wrote to memory of 3376 4164 build2.exe 92 PID 4164 wrote to memory of 3376 4164 build2.exe 92 PID 4164 wrote to memory of 3376 4164 build2.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe"C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe"C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 4963⤵
- Program crash
PID:4724
-
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 11⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF9D.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2764
-
C:\Users\Admin\AppData\Local\Temp\B56.exeC:\Users\Admin\AppData\Local\Temp\B56.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Users\Admin\AppData\Local\Temp\21CD.exeC:\Users\Admin\AppData\Local\Temp\21CD.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\21CD.exeC:\Users\Admin\AppData\Local\Temp\21CD.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a59624d6-f1c6-4f19-8770-fc9ec54a0899" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\21CD.exe"C:\Users\Admin\AppData\Local\Temp\21CD.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\21CD.exe"C:\Users\Admin\AppData\Local\Temp\21CD.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe"C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe"C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe"6⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 20847⤵
- Program crash
PID:2840
-
-
-
-
C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build3.exe"C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build3.exe"5⤵PID:2184
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\345D.exeC:\Users\Admin\AppData\Local\Temp\345D.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bH4bi22.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bH4bi22.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xC3Qm35.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xC3Qm35.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4736 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 16486⤵
- Program crash
PID:1064
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST1⤵
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:316
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\2D57.exeC:\Users\Admin\AppData\Local\Temp\2D57.exe1⤵
- Executes dropped EXE
PID:4128
-
C:\Users\Admin\AppData\Local\Temp\2D57.exeC:\Users\Admin\AppData\Local\Temp\2D57.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5af207fce02ccd72197c25681aba5b26c
SHA1bf39a079dc359f7ff5f06be728a5946f1833e0fb
SHA2566dfce12200dadf41850434319a9d3db7c613a09ed0b7e5c584e6c5ad58875d11
SHA5121e921f0e40a92083366049b1999a36f2e9f8bc5bc6329bf2ba5a755eae6c283efa66ef5471f0ee3cea676b6ddf87da7a211b783a50c762c46991918db85a8b07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5fe9925084c9f0f7d25e0970216587c8a
SHA1dfd1fdc1064d90eba9f84a2575b34e2016830ec2
SHA2569fd7caab023c6ffad78c9e4b08f74341540369994ffe285fff9007924f735a4c
SHA51218ecd8d11a3d2ae69f7d7d08505a5a7733405bbceb48197c4efcc57fbf45dbd2c5a3932d2f292754efa4907b7b8180df57b7a9b99bba40677ca5baa14e180da6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD582e8de576b3311d7e87e7f4fa31747e9
SHA1a173cfc9a9b93bdbe3e9d6c21c5f0e8bdc98c6b7
SHA2560434af1df9da0494d532ff3749013bc969a84f10473bfe1aab197ffbf55907f8
SHA512384f203a7159ea935648e8d16434bc3236cdddc21b8e353852f4a975d1582b5c53f7d22ed9772d88e8ec4650a8db34964eabb840c0ae4ecc425ed0790938f002
-
Filesize
302KB
MD5f5f946c85bbcd85d14e984c5b2d9fdda
SHA1dfd3e685b41e62d30395205ee9c6038081b9e875
SHA25660f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA5122e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853
-
Filesize
302KB
MD5f5f946c85bbcd85d14e984c5b2d9fdda
SHA1dfd3e685b41e62d30395205ee9c6038081b9e875
SHA25660f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA5122e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853
-
Filesize
302KB
MD5f5f946c85bbcd85d14e984c5b2d9fdda
SHA1dfd3e685b41e62d30395205ee9c6038081b9e875
SHA25660f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA5122e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
1KB
MD581b6f7911c04d1ce4c04aa863175692e
SHA17bbb69e4996c85de335721300fac3725ab17234d
SHA256fe4c1929c30a9bede91497644aca2a44b8df1dffc7052786139a5674e1c1212a
SHA5129bca4d0aa3286f426eadb50592447743938684a4ecc0ec1db5be18014c667eb3a26ba36ea4d149a4ef17471c2000368a31646724413b71c9ddfdd77977b97d47
-
Filesize
801KB
MD58e921066e727da79d3b5e0bba12bb40e
SHA182df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b
-
Filesize
801KB
MD58e921066e727da79d3b5e0bba12bb40e
SHA182df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b
-
Filesize
801KB
MD58e921066e727da79d3b5e0bba12bb40e
SHA182df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b
-
Filesize
801KB
MD58e921066e727da79d3b5e0bba12bb40e
SHA182df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b
-
Filesize
801KB
MD58e921066e727da79d3b5e0bba12bb40e
SHA182df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b
-
Filesize
1.0MB
MD5a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1844f1939d41b23e85886178c2e058a9e56c496e9
SHA256e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA5129eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25
-
Filesize
1.0MB
MD5a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1844f1939d41b23e85886178c2e058a9e56c496e9
SHA256e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA5129eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25
-
Filesize
1.0MB
MD5a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1844f1939d41b23e85886178c2e058a9e56c496e9
SHA256e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA5129eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25
-
Filesize
2.6MB
MD527694aecc39ca2140bb33c69f9e3da41
SHA1c48181ccbd8d05cba0ebb06f9a11154ac6407aee
SHA256a60b6b72b31b9a0da805a8c0d3a7196300b578745602d9e476bc23a61d87c54a
SHA5122f13e19af4ef04aef2d9f584a4e6267900bc9d1086b4c1299d4223ba7477b1e503e0f3f9408cd85b0f3bb3878a84db464aa101f85b49d33a17fec937afa0ae3e
-
Filesize
2.6MB
MD527694aecc39ca2140bb33c69f9e3da41
SHA1c48181ccbd8d05cba0ebb06f9a11154ac6407aee
SHA256a60b6b72b31b9a0da805a8c0d3a7196300b578745602d9e476bc23a61d87c54a
SHA5122f13e19af4ef04aef2d9f584a4e6267900bc9d1086b4c1299d4223ba7477b1e503e0f3f9408cd85b0f3bb3878a84db464aa101f85b49d33a17fec937afa0ae3e
-
Filesize
4.6MB
MD5a3dea4c1f895c2729505cb4712ad469d
SHA1fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA5129da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4
-
Filesize
4.6MB
MD5a3dea4c1f895c2729505cb4712ad469d
SHA1fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA5129da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4
-
Filesize
1.6MB
MD5151ca633dc1331fe936d7852275b41c8
SHA1679aaacecccd1e4a3c0595b8682c68d984017976
SHA256a93afb60a0b0375f95f9f772440ea9c8bfd91026691c8c91eb40b1661074168a
SHA512bd9ad2d7427f8df3f26feb4c08f2bb9aa09c1135622369f3be4a55ffe8ace76336788a32cf8b12d4252dc8acbb373708c4f457f2e0929d4222cfcd82dc15ee8a
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
2.1MB
MD5fcb57295ecc1626eeeed24bd09fd1d7a
SHA13c026229ffda41bd613eed760a5e47148fe9ae2e
SHA25660e6c9297116d36f8afdcd9b462ebfecf158053916d5754c5d3e05ad33bc652f
SHA5123173b6a66dbd9045a1a98b13672f75b17fadb0b57e0fb9694d68f9aee1d183025bc8656632b0e8cd06dfda755231ec9f3d9445b206adcb6e4a0984df87c61fa1
-
Filesize
2.1MB
MD5fcb57295ecc1626eeeed24bd09fd1d7a
SHA13c026229ffda41bd613eed760a5e47148fe9ae2e
SHA25660e6c9297116d36f8afdcd9b462ebfecf158053916d5754c5d3e05ad33bc652f
SHA5123173b6a66dbd9045a1a98b13672f75b17fadb0b57e0fb9694d68f9aee1d183025bc8656632b0e8cd06dfda755231ec9f3d9445b206adcb6e4a0984df87c61fa1
-
Filesize
1.7MB
MD5a944ce66d7d9343827a475f63266e2fc
SHA1430044bcd1c168e870cde4c242cfaec9337f2b1a
SHA25643374c43348058a1b88f006de6679ec6ae6084db2f7efb37736f627466ff2f07
SHA512e418abf30db0c6facec6a5d3c4c28ea82b3ccc68ccc8961fff63306e1ce98d8242d4136f6f179f62b2f10fee0c759dcbf5325cd85b70e375bf59476035603d70
-
Filesize
1.7MB
MD5a944ce66d7d9343827a475f63266e2fc
SHA1430044bcd1c168e870cde4c242cfaec9337f2b1a
SHA25643374c43348058a1b88f006de6679ec6ae6084db2f7efb37736f627466ff2f07
SHA512e418abf30db0c6facec6a5d3c4c28ea82b3ccc68ccc8961fff63306e1ce98d8242d4136f6f179f62b2f10fee0c759dcbf5325cd85b70e375bf59476035603d70
-
Filesize
789KB
MD5f792094d7e39e109fa00219cbbdc2e30
SHA1fec957067137c285a42892206e5bd6652d32140d
SHA2560861f99f1c6092cf1fbca92e43ff73abaf820f50191e0a6605d6a29b08fc0d37
SHA512df308cd5190c0162647ab210b003144de9e2c842bbcb58a9a6a903ee67113355184a407e8d0cdc6e282a47666ef74da4dd337bc581cc5d54cdf4b6ab17550390
-
Filesize
789KB
MD5f792094d7e39e109fa00219cbbdc2e30
SHA1fec957067137c285a42892206e5bd6652d32140d
SHA2560861f99f1c6092cf1fbca92e43ff73abaf820f50191e0a6605d6a29b08fc0d37
SHA512df308cd5190c0162647ab210b003144de9e2c842bbcb58a9a6a903ee67113355184a407e8d0cdc6e282a47666ef74da4dd337bc581cc5d54cdf4b6ab17550390
-
Filesize
1.6MB
MD5151ca633dc1331fe936d7852275b41c8
SHA1679aaacecccd1e4a3c0595b8682c68d984017976
SHA256a93afb60a0b0375f95f9f772440ea9c8bfd91026691c8c91eb40b1661074168a
SHA512bd9ad2d7427f8df3f26feb4c08f2bb9aa09c1135622369f3be4a55ffe8ace76336788a32cf8b12d4252dc8acbb373708c4f457f2e0929d4222cfcd82dc15ee8a
-
Filesize
1.6MB
MD5151ca633dc1331fe936d7852275b41c8
SHA1679aaacecccd1e4a3c0595b8682c68d984017976
SHA256a93afb60a0b0375f95f9f772440ea9c8bfd91026691c8c91eb40b1661074168a
SHA512bd9ad2d7427f8df3f26feb4c08f2bb9aa09c1135622369f3be4a55ffe8ace76336788a32cf8b12d4252dc8acbb373708c4f457f2e0929d4222cfcd82dc15ee8a
-
Filesize
3KB
MD548a10c8397504281c3004fa53c3213ca
SHA12062abec0501a3226a9cce37fb4775724ef9c5f9
SHA2565bd2e7bbb4a65b85a900e0431cc90e5c1644161c2cc9f8e6e26efc116b4175d5
SHA5122ec22f09be6e164a2590120912e999e48890d304b79cc29ff19f211fedefbf1863c683774707ed133d7d685ef98f619549fc8a4e970e1ddce6a2959f5016cce8
-
Filesize
801KB
MD58e921066e727da79d3b5e0bba12bb40e
SHA182df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b