Analysis
-
max time kernel
38s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 17:14
Static task
static1
Behavioral task
behavioral1
Sample
3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
Resource
win10v2004-20231130-en
General
-
Target
3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
-
Size
230KB
-
MD5
f047d4dd986b3dc6f374f56dcfc60c6a
-
SHA1
b65b66ae8a9a76a7e2546f608d40ddede15954af
-
SHA256
3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a
-
SHA512
aa04c9ca14b5a791343af6e74b266f70e711e6b78d9037f7e53c198ed244aa681e456df0bcb02e0d11f65530ca4ecf22105e29b74fd36b08439ae1753a9639ab
-
SSDEEP
3072:dYbOTP4PXcLEiCZdpuoFOUeGpSx0lnwJ7XgRNUL0oGiWHCK:LTPaXmcyoFOGzwVABH
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.nbzi
-
offline_id
csCsb6cUvy0iMa6NgGCGH0hSfXQlGjZVEmFVkgt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8dGJ2tqlOd Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0832ASdw
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\02dfcc31-22dd-4866-b979-8aeda9b2f020\\B4BC.exe\" --AutoStart" B4BC.exe 3636 schtasks.exe 4020 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe -
Detect ZGRat V1 24 IoCs
resource yara_rule behavioral1/memory/508-91-0x000001EE819F0000-0x000001EE81AD4000-memory.dmp family_zgrat_v1 behavioral1/memory/508-100-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-97-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-102-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-104-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-110-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-112-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-114-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-108-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-116-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-106-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-120-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-122-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-118-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-124-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-126-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-128-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-135-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-137-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-139-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-141-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-132-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-143-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 behavioral1/memory/508-130-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral1/memory/4296-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4296-48-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2608-52-0x0000000002580000-0x000000000269B000-memory.dmp family_djvu behavioral1/memory/4296-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4296-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4296-64-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/448-70-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/448-71-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/448-73-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ A27C.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A27C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A27C.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation B4BC.exe -
Deletes itself 1 IoCs
pid Process 3248 Process not Found -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk AppLaunch.exe -
Executes dropped EXE 13 IoCs
pid Process 3756 A27C.exe 2608 B4BC.exe 4296 B4BC.exe 3024 B4BC.exe 448 B4BC.exe 3920 BE43.exe 508 BE43.exe 1692 C70E.exe 888 Oe9XV72.exe 3256 ta4xZ73.exe 2992 Re9Xk52.exe 3548 1qC43uE0.exe 4452 3vT82iQ.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5072 icacls.exe -
resource yara_rule behavioral1/files/0x000700000002320a-23.dat themida behavioral1/files/0x000700000002320a-24.dat themida behavioral1/memory/3756-34-0x0000000000140000-0x0000000000C0A000-memory.dmp themida -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ta4xZ73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Re9Xk52.exe Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" AppLaunch.exe Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\02dfcc31-22dd-4866-b979-8aeda9b2f020\\B4BC.exe\" --AutoStart" B4BC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C70E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Oe9XV72.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A27C.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 69 api.2ip.ua 100 ipinfo.io 101 ipinfo.io 67 api.2ip.ua -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy AppLaunch.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini AppLaunch.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol AppLaunch.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI AppLaunch.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3756 A27C.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3636 set thread context of 4416 3636 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 89 PID 2608 set thread context of 4296 2608 B4BC.exe 111 PID 3024 set thread context of 448 3024 B4BC.exe 116 PID 3920 set thread context of 508 3920 BE43.exe 120 PID 3548 set thread context of 4968 3548 1qC43uE0.exe 127 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2908 4416 WerFault.exe 89 3600 448 WerFault.exe 116 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3vT82iQ.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3vT82iQ.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3vT82iQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3636 schtasks.exe 4020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4416 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 4416 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4416 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeDebugPrivilege 3920 BE43.exe Token: SeDebugPrivilege 3756 A27C.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 4416 3636 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 89 PID 3636 wrote to memory of 4416 3636 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 89 PID 3636 wrote to memory of 4416 3636 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 89 PID 3636 wrote to memory of 4416 3636 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 89 PID 3636 wrote to memory of 4416 3636 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 89 PID 3636 wrote to memory of 4416 3636 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe 89 PID 3248 wrote to memory of 3052 3248 Process not Found 103 PID 3248 wrote to memory of 3052 3248 Process not Found 103 PID 3052 wrote to memory of 4716 3052 cmd.exe 105 PID 3052 wrote to memory of 4716 3052 cmd.exe 105 PID 3248 wrote to memory of 1744 3248 Process not Found 106 PID 3248 wrote to memory of 1744 3248 Process not Found 106 PID 1744 wrote to memory of 1932 1744 cmd.exe 108 PID 1744 wrote to memory of 1932 1744 cmd.exe 108 PID 3248 wrote to memory of 3756 3248 Process not Found 109 PID 3248 wrote to memory of 3756 3248 Process not Found 109 PID 3248 wrote to memory of 3756 3248 Process not Found 109 PID 3248 wrote to memory of 2608 3248 Process not Found 110 PID 3248 wrote to memory of 2608 3248 Process not Found 110 PID 3248 wrote to memory of 2608 3248 Process not Found 110 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 2608 wrote to memory of 4296 2608 B4BC.exe 111 PID 4296 wrote to memory of 5072 4296 B4BC.exe 113 PID 4296 wrote to memory of 5072 4296 B4BC.exe 113 PID 4296 wrote to memory of 5072 4296 B4BC.exe 113 PID 4296 wrote to memory of 3024 4296 B4BC.exe 114 PID 4296 wrote to memory of 3024 4296 B4BC.exe 114 PID 4296 wrote to memory of 3024 4296 B4BC.exe 114 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3024 wrote to memory of 448 3024 B4BC.exe 116 PID 3248 wrote to memory of 3920 3248 Process not Found 119 PID 3248 wrote to memory of 3920 3248 Process not Found 119 PID 3920 wrote to memory of 508 3920 BE43.exe 120 PID 3920 wrote to memory of 508 3920 BE43.exe 120 PID 3920 wrote to memory of 508 3920 BE43.exe 120 PID 3920 wrote to memory of 508 3920 BE43.exe 120 PID 3920 wrote to memory of 508 3920 BE43.exe 120 PID 3920 wrote to memory of 508 3920 BE43.exe 120 PID 3248 wrote to memory of 1692 3248 Process not Found 126 PID 3248 wrote to memory of 1692 3248 Process not Found 126 PID 3248 wrote to memory of 1692 3248 Process not Found 126 PID 1692 wrote to memory of 888 1692 C70E.exe 125 PID 1692 wrote to memory of 888 1692 C70E.exe 125 PID 1692 wrote to memory of 888 1692 C70E.exe 125 PID 888 wrote to memory of 3256 888 Oe9XV72.exe 124 PID 888 wrote to memory of 3256 888 Oe9XV72.exe 124 PID 888 wrote to memory of 3256 888 Oe9XV72.exe 124 PID 3256 wrote to memory of 2992 3256 ta4xZ73.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 3283⤵
- Program crash
PID:2908
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 44161⤵PID:2068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97AC.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A3D.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\A27C.exeC:\Users\Admin\AppData\Local\Temp\A27C.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Users\Admin\AppData\Local\Temp\B4BC.exeC:\Users\Admin\AppData\Local\Temp\B4BC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\B4BC.exeC:\Users\Admin\AppData\Local\Temp\B4BC.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\02dfcc31-22dd-4866-b979-8aeda9b2f020" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\B4BC.exe"C:\Users\Admin\AppData\Local\Temp\B4BC.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\B4BC.exe"C:\Users\Admin\AppData\Local\Temp\B4BC.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 5685⤵
- Program crash
PID:3600
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 448 -ip 4481⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\BE43.exeC:\Users\Admin\AppData\Local\Temp\BE43.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\BE43.exeC:\Users\Admin\AppData\Local\Temp\BE43.exe2⤵
- Executes dropped EXE
PID:508
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
- DcRat
- Creates scheduled task(s)
PID:3636
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
- DcRat
- Creates scheduled task(s)
PID:4020
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pZ252VG.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pZ252VG.exe2⤵PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:888
-
C:\Users\Admin\AppData\Local\Temp\C70E.exeC:\Users\Admin\AppData\Local\Temp\C70E.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\2BEE.exeC:\Users\Admin\AppData\Local\Temp\2BEE.exe1⤵PID:2084
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
729KB
MD5e27247ec600dabb644c82302d61b711e
SHA1e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA25697b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054
-
Filesize
1KB
MD59f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1de83788e2f18629555c42a3e6fada12f70457141
SHA256d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA51286cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
4.6MB
MD5a3dea4c1f895c2729505cb4712ad469d
SHA1fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA5129da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4
-
Filesize
4.6MB
MD5a3dea4c1f895c2729505cb4712ad469d
SHA1fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA5129da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4
-
Filesize
729KB
MD5e27247ec600dabb644c82302d61b711e
SHA1e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA25697b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054
-
Filesize
729KB
MD5e27247ec600dabb644c82302d61b711e
SHA1e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA25697b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054
-
Filesize
729KB
MD5e27247ec600dabb644c82302d61b711e
SHA1e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA25697b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054
-
Filesize
729KB
MD5e27247ec600dabb644c82302d61b711e
SHA1e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA25697b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054
-
Filesize
729KB
MD5e27247ec600dabb644c82302d61b711e
SHA1e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA25697b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054
-
Filesize
1.3MB
MD57f5108b2158d537f11fd88886c1c047c
SHA1c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1
-
Filesize
1.3MB
MD57f5108b2158d537f11fd88886c1c047c
SHA1c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1
-
Filesize
1.3MB
MD57f5108b2158d537f11fd88886c1c047c
SHA1c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1
-
Filesize
2.3MB
MD54cfe5852a1362c02aaf9908665f4f0c0
SHA1eeaf622cc64ae02e1a628c145b3033660ba01564
SHA256732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
SHA5127554aa50a40611091cb8e0735678da767170f1d94ace112253974a0e8492b372d40e09e8355b2046a251b81728d1b6130fe04f62dc55fe81ff1dd7cd7809a8ad
-
Filesize
2.3MB
MD54cfe5852a1362c02aaf9908665f4f0c0
SHA1eeaf622cc64ae02e1a628c145b3033660ba01564
SHA256732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
SHA5127554aa50a40611091cb8e0735678da767170f1d94ace112253974a0e8492b372d40e09e8355b2046a251b81728d1b6130fe04f62dc55fe81ff1dd7cd7809a8ad
-
Filesize
1.8MB
MD51dddbb01cade6760d5bb2568385e10a3
SHA13d4fd37cd03f6380194493de831ce85a9f06e55d
SHA2567d840ef49904ab8884a175940fabf3312096dca7ce660b32db921a03967528b0
SHA512633337b9d67446336fdb131a377932ccc688452563927d81cfe5b6c6d5989c85e7bd8f071fb399028886cca0f7289a71e62bdbd4c9262bebc9d8b96246574f6b
-
Filesize
1.8MB
MD51dddbb01cade6760d5bb2568385e10a3
SHA13d4fd37cd03f6380194493de831ce85a9f06e55d
SHA2567d840ef49904ab8884a175940fabf3312096dca7ce660b32db921a03967528b0
SHA512633337b9d67446336fdb131a377932ccc688452563927d81cfe5b6c6d5989c85e7bd8f071fb399028886cca0f7289a71e62bdbd4c9262bebc9d8b96246574f6b
-
Filesize
1.6MB
MD53dfe7bd2fb7971a272b3ea5204254bba
SHA1e4015da07f896a2045445f643900dec852794478
SHA25629ad51e32cc63efe52927221ad30b46b7df58d592c4a99b75f402f4095c1bd7a
SHA512d1e03c615ee13efaaa25feda7b4fb566e0206b3071c26059e171754d17916cdc0dab99e3dd2608bd1e6dd9d1011143f75db92b2be4012568e8b6402c0bae2508
-
Filesize
1.6MB
MD53dfe7bd2fb7971a272b3ea5204254bba
SHA1e4015da07f896a2045445f643900dec852794478
SHA25629ad51e32cc63efe52927221ad30b46b7df58d592c4a99b75f402f4095c1bd7a
SHA512d1e03c615ee13efaaa25feda7b4fb566e0206b3071c26059e171754d17916cdc0dab99e3dd2608bd1e6dd9d1011143f75db92b2be4012568e8b6402c0bae2508
-
Filesize
935KB
MD5774714c1eaede5846259c8a7fd64623f
SHA158d8b5e28fdee352f75a0b1be36be44ec46002c5
SHA256dd0e46c58dce01ae2aa160cb6ec1d3403bfbf1171712bfa40e79280f1fd03005
SHA512717ae04097a52fb36c360da5459a39b1e5bb3dff7d8b3d3446faeedd06472f4730340a9cd5e3ba3fdaebee9ad5132e6cf409463532f5296874d5e6ac8302b1ad
-
Filesize
935KB
MD5774714c1eaede5846259c8a7fd64623f
SHA158d8b5e28fdee352f75a0b1be36be44ec46002c5
SHA256dd0e46c58dce01ae2aa160cb6ec1d3403bfbf1171712bfa40e79280f1fd03005
SHA512717ae04097a52fb36c360da5459a39b1e5bb3dff7d8b3d3446faeedd06472f4730340a9cd5e3ba3fdaebee9ad5132e6cf409463532f5296874d5e6ac8302b1ad
-
Filesize
1.8MB
MD5b7824568d5bfe2ea41d327860621e65c
SHA1520b3a77fb1085adcdfb724c1ab925bb130f321c
SHA256ae05cfafd5d0c6fc27c9853367951274521d4ab95e5ec38669781a7f46aa725c
SHA512570bae7ad549d69ea2e493e77b0c1f4bd49f2a02b9c8132764a9a920633d7df9894026dc434d6b80b69003e5250464fc3b53b983e391957f56614b22a01803af
-
Filesize
1.8MB
MD5b7824568d5bfe2ea41d327860621e65c
SHA1520b3a77fb1085adcdfb724c1ab925bb130f321c
SHA256ae05cfafd5d0c6fc27c9853367951274521d4ab95e5ec38669781a7f46aa725c
SHA512570bae7ad549d69ea2e493e77b0c1f4bd49f2a02b9c8132764a9a920633d7df9894026dc434d6b80b69003e5250464fc3b53b983e391957f56614b22a01803af
-
Filesize
37KB
MD5521e4cd38d0ba9e19d7766fbc01713db
SHA1a22dcf847737c84315be5fbc69197128d1d380e5
SHA256919daabecdb7a855a8ea4ba6df86a2c8f382eaa8519327e7540e2af36988cc7a
SHA512b98d9caf035bb36761f1b524528d2ce5fc0643dc7efac79e942631fc0bd4312ac0d735f34f56566f66b85f3fd3a1e7cd3af5725daac1d9cd3b5854ab207c8326
-
Filesize
37KB
MD5521e4cd38d0ba9e19d7766fbc01713db
SHA1a22dcf847737c84315be5fbc69197128d1d380e5
SHA256919daabecdb7a855a8ea4ba6df86a2c8f382eaa8519327e7540e2af36988cc7a
SHA512b98d9caf035bb36761f1b524528d2ce5fc0643dc7efac79e942631fc0bd4312ac0d735f34f56566f66b85f3fd3a1e7cd3af5725daac1d9cd3b5854ab207c8326