Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 01:48
Behavioral task
behavioral1
Sample
dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe
Resource
win7-20231215-en
windows7-x64
31 signatures
150 seconds
Behavioral task
behavioral2
Sample
dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe
-
Size
32KB
-
MD5
abc9982b12769a29178b120ed8d79d7c
-
SHA1
f8360d1f967b2310e02a81cfbb1206bb3632ee71
-
SHA256
f58e57d1015834305e61c7f021794c682ee9174bb3ad6eb189620811fea975a8
-
SHA512
bd8db2c3d2cfc90c04f72ce83476095abb49e5e7c9ec1366dd3653fbca95a8d063b4980977ce8687626bfe75f4d62bda408d2b5713dd25e04ecbe270973ce037
-
SSDEEP
768:OAUqYpNSIoKpDd1KM02kQhx4hOtFceWzYqvz0bOS:HLo8LKtd1PBkQD4UtFceWnz
Malware Config
Extracted
Family
smokeloader
Botnet
pub1
Extracted
Family
smokeloader
Version
2020
C2
http://host-file-host6.com/
http://host-host-file8.com/
rc4.i32
rc4.i32
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 5ko7953y3_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 5ko7953y3_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile 5ko7953y3_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" 5ko7953y3_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "pqljhp.exe" 5ko7953y3_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe 5ko7953y3_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "mvukhmq.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "evmunb.exe" 5ko7953y3_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe 5ko7953y3_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe 5ko7953y3_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "fyjyaq.exe" 5ko7953y3_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "wiwhaom.exe" 5ko7953y3_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5ko7953y3.exe A8DD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5ko7953y3.exe\DisableExceptionChainValidation A8DD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe 5ko7953y3_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe 5ko7953y3_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "spyevy.exe" 5ko7953y3_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nvlujxelzws.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "akzydxivign.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "qaulfbplwla.exe" regedit.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
pid Process 1276 Explorer.EXE -
Executes dropped EXE 3 IoCs
pid Process 2804 A8DD.exe 2760 B07C.exe 908 5ko7953y3_1.exe -
Loads dropped DLL 1 IoCs
pid Process 2588 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\5ko7953y3.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\5ko7953y3.exe" explorer.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService 5ko7953y3_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus 5ko7953y3_1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A8DD.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5ko7953y3_1.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2804 A8DD.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 908 5ko7953y3_1.exe -
NSIS installer 3 IoCs
resource yara_rule behavioral1/files/0x0014000000015da6-30.dat nsis_installer_2 behavioral1/files/0x0014000000015da6-31.dat nsis_installer_2 behavioral1/files/0x0014000000015da6-33.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString A8DD.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5ko7953y3_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5ko7953y3_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 A8DD.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 568 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\5ko7953y3_1.exe:1BB7FB68 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\5ko7953y3_1.exe:1BB7FB68 explorer.exe -
Runs regedit.exe 1 IoCs
pid Process 1412 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1724 dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe 1724 dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1724 dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe 2804 A8DD.exe 2804 A8DD.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 908 5ko7953y3_1.exe 908 5ko7953y3_1.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 2804 A8DD.exe Token: SeRestorePrivilege 2804 A8DD.exe Token: SeBackupPrivilege 2804 A8DD.exe Token: SeLoadDriverPrivilege 2804 A8DD.exe Token: SeCreatePagefilePrivilege 2804 A8DD.exe Token: SeShutdownPrivilege 2804 A8DD.exe Token: SeTakeOwnershipPrivilege 2804 A8DD.exe Token: SeChangeNotifyPrivilege 2804 A8DD.exe Token: SeCreateTokenPrivilege 2804 A8DD.exe Token: SeMachineAccountPrivilege 2804 A8DD.exe Token: SeSecurityPrivilege 2804 A8DD.exe Token: SeAssignPrimaryTokenPrivilege 2804 A8DD.exe Token: SeCreateGlobalPrivilege 2804 A8DD.exe Token: 33 2804 A8DD.exe Token: SeDebugPrivilege 2588 explorer.exe Token: SeRestorePrivilege 2588 explorer.exe Token: SeBackupPrivilege 2588 explorer.exe Token: SeLoadDriverPrivilege 2588 explorer.exe Token: SeCreatePagefilePrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeTakeOwnershipPrivilege 2588 explorer.exe Token: SeChangeNotifyPrivilege 2588 explorer.exe Token: SeCreateTokenPrivilege 2588 explorer.exe Token: SeMachineAccountPrivilege 2588 explorer.exe Token: SeSecurityPrivilege 2588 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2588 explorer.exe Token: SeCreateGlobalPrivilege 2588 explorer.exe Token: 33 2588 explorer.exe Token: SeDebugPrivilege 908 5ko7953y3_1.exe Token: SeRestorePrivilege 908 5ko7953y3_1.exe Token: SeBackupPrivilege 908 5ko7953y3_1.exe Token: SeLoadDriverPrivilege 908 5ko7953y3_1.exe Token: SeCreatePagefilePrivilege 908 5ko7953y3_1.exe Token: SeShutdownPrivilege 908 5ko7953y3_1.exe Token: SeTakeOwnershipPrivilege 908 5ko7953y3_1.exe Token: SeChangeNotifyPrivilege 908 5ko7953y3_1.exe Token: SeCreateTokenPrivilege 908 5ko7953y3_1.exe Token: SeMachineAccountPrivilege 908 5ko7953y3_1.exe Token: SeSecurityPrivilege 908 5ko7953y3_1.exe Token: SeAssignPrimaryTokenPrivilege 908 5ko7953y3_1.exe Token: SeCreateGlobalPrivilege 908 5ko7953y3_1.exe Token: 33 908 5ko7953y3_1.exe Token: SeCreatePagefilePrivilege 908 5ko7953y3_1.exe Token: SeCreatePagefilePrivilege 908 5ko7953y3_1.exe Token: SeCreatePagefilePrivilege 908 5ko7953y3_1.exe Token: SeCreatePagefilePrivilege 908 5ko7953y3_1.exe Token: SeCreatePagefilePrivilege 908 5ko7953y3_1.exe Token: SeDebugPrivilege 1412 regedit.exe Token: SeRestorePrivilege 1412 regedit.exe Token: SeBackupPrivilege 1412 regedit.exe Token: SeLoadDriverPrivilege 1412 regedit.exe Token: SeCreatePagefilePrivilege 1412 regedit.exe Token: SeShutdownPrivilege 1412 regedit.exe Token: SeTakeOwnershipPrivilege 1412 regedit.exe Token: SeChangeNotifyPrivilege 1412 regedit.exe Token: SeCreateTokenPrivilege 1412 regedit.exe Token: SeMachineAccountPrivilege 1412 regedit.exe Token: SeSecurityPrivilege 1412 regedit.exe Token: SeAssignPrimaryTokenPrivilege 1412 regedit.exe Token: SeCreateGlobalPrivilege 1412 regedit.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1276 wrote to memory of 2804 1276 Explorer.EXE 28 PID 1276 wrote to memory of 2804 1276 Explorer.EXE 28 PID 1276 wrote to memory of 2804 1276 Explorer.EXE 28 PID 1276 wrote to memory of 2804 1276 Explorer.EXE 28 PID 1276 wrote to memory of 2760 1276 Explorer.EXE 29 PID 1276 wrote to memory of 2760 1276 Explorer.EXE 29 PID 1276 wrote to memory of 2760 1276 Explorer.EXE 29 PID 1276 wrote to memory of 2760 1276 Explorer.EXE 29 PID 2804 wrote to memory of 2588 2804 A8DD.exe 30 PID 2804 wrote to memory of 2588 2804 A8DD.exe 30 PID 2804 wrote to memory of 2588 2804 A8DD.exe 30 PID 2804 wrote to memory of 2588 2804 A8DD.exe 30 PID 2804 wrote to memory of 2588 2804 A8DD.exe 30 PID 2804 wrote to memory of 2588 2804 A8DD.exe 30 PID 2804 wrote to memory of 2588 2804 A8DD.exe 30 PID 2588 wrote to memory of 1184 2588 explorer.exe 17 PID 2588 wrote to memory of 1184 2588 explorer.exe 17 PID 2588 wrote to memory of 1184 2588 explorer.exe 17 PID 2588 wrote to memory of 1184 2588 explorer.exe 17 PID 2588 wrote to memory of 1184 2588 explorer.exe 17 PID 2588 wrote to memory of 1184 2588 explorer.exe 17 PID 2588 wrote to memory of 1276 2588 explorer.exe 11 PID 2588 wrote to memory of 1276 2588 explorer.exe 11 PID 2588 wrote to memory of 1276 2588 explorer.exe 11 PID 2588 wrote to memory of 1276 2588 explorer.exe 11 PID 2588 wrote to memory of 1276 2588 explorer.exe 11 PID 2588 wrote to memory of 1276 2588 explorer.exe 11 PID 2588 wrote to memory of 2888 2588 explorer.exe 33 PID 2588 wrote to memory of 2888 2588 explorer.exe 33 PID 2588 wrote to memory of 2888 2588 explorer.exe 33 PID 2588 wrote to memory of 2888 2588 explorer.exe 33 PID 2588 wrote to memory of 2888 2588 explorer.exe 33 PID 2588 wrote to memory of 2888 2588 explorer.exe 33 PID 2588 wrote to memory of 908 2588 explorer.exe 34 PID 2588 wrote to memory of 908 2588 explorer.exe 34 PID 2588 wrote to memory of 908 2588 explorer.exe 34 PID 2588 wrote to memory of 908 2588 explorer.exe 34 PID 2588 wrote to memory of 908 2588 explorer.exe 34 PID 2588 wrote to memory of 908 2588 explorer.exe 34 PID 2588 wrote to memory of 908 2588 explorer.exe 34 PID 908 wrote to memory of 1412 908 5ko7953y3_1.exe 35 PID 908 wrote to memory of 1412 908 5ko7953y3_1.exe 35 PID 908 wrote to memory of 1412 908 5ko7953y3_1.exe 35 PID 908 wrote to memory of 1412 908 5ko7953y3_1.exe 35 PID 908 wrote to memory of 1412 908 5ko7953y3_1.exe 35 PID 908 wrote to memory of 1412 908 5ko7953y3_1.exe 35 PID 908 wrote to memory of 1412 908 5ko7953y3_1.exe 35 PID 908 wrote to memory of 568 908 5ko7953y3_1.exe 37 PID 908 wrote to memory of 568 908 5ko7953y3_1.exe 37 PID 908 wrote to memory of 568 908 5ko7953y3_1.exe 37 PID 908 wrote to memory of 568 908 5ko7953y3_1.exe 37 PID 908 wrote to memory of 568 908 5ko7953y3_1.exe 37 PID 908 wrote to memory of 568 908 5ko7953y3_1.exe 37 PID 908 wrote to memory of 568 908 5ko7953y3_1.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe"C:\Users\Admin\AppData\Local\Temp\dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb_dump.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\A8DD.exeC:\Users\Admin\AppData\Local\Temp\A8DD.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\5ko7953y3_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\5KO795~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:568
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B07C.exeC:\Users\Admin\AppData\Local\Temp\B07C.exe2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2888
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD5af3d13e94c395b2d90a6dd39d87fca95
SHA1985cab1dbd7f82f40eb8f87dc15698143f16ebde
SHA2564589e6413177c4bf9f770cbc9205a5a6531a67472ad8fa8b32ac21c235cb85fe
SHA51243c97d70469f8e65fa9a754bf8fab5eec71bcccd58ac4dc3af6faf56fecf5322ebdb98aa7535a0882151689d6686c881dcbd8cb2d5167ab039242098b01700e3
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
1.1MB
MD59e2351e320631160ffc8047c746a77ac
SHA16db5481c1a69905247c0219d3f8959d4bcdc9203
SHA2565d24c7922213a87a95540aa474a5c2a1b433cb5523a0aac2bb0754f5471b3aec
SHA512e7b5e5319974a6eb8b57eac2c222213c692d3b18463bb24a56c55e3b69194b70fe779d0698e1fe2c58af200cd8e917831f19be3f9cd257e37d18fc26615b95b0
-
Filesize
433KB
MD5acc86500dc22f3d1f79ee12d31b3da14
SHA1c4adb11c0f9b7809662a1dd1ca946ec56a78c127
SHA2562468def4bd05e7f6211c94f32830d4abead5daccb730775fdf7eb195e92e0580
SHA5125687d263f4fabad0dfd53d5192c4092dd788d88ae9c84d4a0e06e0fa6c288ac4a01805e398c3e9be846e8c1028f93bb55fd91e86d540f1bfb573bbc35c411341
-
Filesize
952KB
MD5d9628e4aa60a82f6be0203f076dbc55e
SHA1ae65a7c4a25eb7869bbf148d60ea09b7d0b4a871
SHA256d1472abbe829e460553608ece2d410ef5cebb580f3f2ddbaa83c9217e36e1c3d
SHA512b033372997fb399f763deb01d836735b04a27ef493348a1061a178b110d9d354b0d69d5370b8dec9e2acf3879d11d0e613fe3903d673e628714e704573c2f65f
-
Filesize
32KB
MD5abc9982b12769a29178b120ed8d79d7c
SHA1f8360d1f967b2310e02a81cfbb1206bb3632ee71
SHA256f58e57d1015834305e61c7f021794c682ee9174bb3ad6eb189620811fea975a8
SHA512bd8db2c3d2cfc90c04f72ce83476095abb49e5e7c9ec1366dd3653fbca95a8d063b4980977ce8687626bfe75f4d62bda408d2b5713dd25e04ecbe270973ce037