Resubmissions
11-02-2024 08:10
240211-j212ragb47 1011-02-2024 08:09
240211-j2kprseb2w 1009-02-2024 18:28
240209-w4c4xsde9t 1002-02-2024 12:52
240202-p4dxwsgfej 1002-02-2024 12:45
240202-pzapnsgdbp 1016-01-2024 15:29
240116-sw8dbaehh3 1010-01-2024 14:41
240110-r2wq2ahchl 1010-01-2024 13:29
240110-qrqatshbg3 1022-12-2023 08:48
231222-kqp1sadghq 10Analysis
-
max time kernel
1799s -
max time network
1697s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win11-20231215-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
smokeloader
lab
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
cheat
103.173.227.25:12664
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile yq5gq5w9g_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" yq5gq5w9g_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile yq5gq5w9g_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" yq5gq5w9g_1.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/files/0x000a0000000163d4-84.dat family_redline behavioral1/files/0x000a0000000163d4-89.dat family_redline behavioral1/memory/1908-108-0x00000000008A0000-0x00000000008C0000-memory.dmp family_redline behavioral1/files/0x0006000000016d0e-105.dat family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/files/0x000a0000000163d4-84.dat family_sectoprat behavioral1/files/0x000a0000000163d4-89.dat family_sectoprat behavioral1/memory/1908-108-0x00000000008A0000-0x00000000008C0000-memory.dmp family_sectoprat behavioral1/memory/360-135-0x00000000002B0000-0x00000000002CF000-memory.dmp family_sectoprat behavioral1/files/0x0006000000016d0e-105.dat family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Looks for VMWare services registry key. 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware tungbot.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe yq5gq5w9g_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "csconinq.exe" yq5gq5w9g_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "useymzuobsr.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "bnxh.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe yq5gq5w9g_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "tueva.exe" yq5gq5w9g_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe yq5gq5w9g_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nsnzxzofnuq.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe yq5gq5w9g_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yq5gq5w9g.exe 820B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yq5gq5w9g.exe\DisableExceptionChainValidation 820B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "fpryb.exe" yq5gq5w9g_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "uoqqc.exe" yq5gq5w9g_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "ifhaq.exe" yq5gq5w9g_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe yq5gq5w9g_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "lhjaeqetuai.exe" regedit.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
pid Process 764 explorer.exe -
Executes dropped EXE 12 IoCs
pid Process 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 920 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 1624 tungbot.exe 1908 tungbot.exe 2016 icsys.icn.exe 360 explorer.exe 1212 spoolsv.exe 1480 svchost.exe 2220 spoolsv.exe 2092 820B.exe 1652 88E0.exe 2184 yq5gq5w9g_1.exe -
Loads dropped DLL 11 IoCs
pid Process 2376 4363463463464363463463463.exe 2376 4363463463464363463463463.exe 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 2376 4363463463464363463463463.exe 1624 tungbot.exe 1624 tungbot.exe 2016 icsys.icn.exe 360 explorer.exe 1212 spoolsv.exe 1480 svchost.exe 764 explorer.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\yq5gq5w9g.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\yq5gq5w9g.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\yq5gq5w9g.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService yq5gq5w9g_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus yq5gq5w9g_1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 820B.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tungbot.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yq5gq5w9g_1.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum tungbot.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tungbot.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
pid Process 2092 820B.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 1480 svchost.exe 360 explorer.exe 1480 svchost.exe 1480 svchost.exe 1480 svchost.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 1908 tungbot.exe 1908 tungbot.exe 1908 tungbot.exe 1908 tungbot.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 2184 yq5gq5w9g_1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2988 set thread context of 920 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 30 -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe tungbot.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\tjcm.cmn explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
resource yara_rule behavioral1/files/0x0008000000017376-206.dat nsis_installer_2 behavioral1/files/0x0008000000017376-208.dat nsis_installer_2 behavioral1/files/0x0008000000017376-207.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString yq5gq5w9g_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 820B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 820B.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 yq5gq5w9g_1.exe -
Creates scheduled task(s) 1 TTPs 31 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2188 schtasks.exe 2476 schtasks.exe 2948 schtasks.exe 3056 schtasks.exe 1728 schtasks.exe 2432 schtasks.exe 2972 schtasks.exe 2688 schtasks.exe 1312 schtasks.exe 1004 schtasks.exe 2404 schtasks.exe 1256 schtasks.exe 3000 schtasks.exe 332 schtasks.exe 1220 schtasks.exe 2440 schtasks.exe 2524 schtasks.exe 792 schtasks.exe 952 schtasks.exe 708 schtasks.exe 3012 schtasks.exe 540 schtasks.exe 1668 schtasks.exe 1868 schtasks.exe 2764 schtasks.exe 2032 schtasks.exe 2964 schtasks.exe 2708 schtasks.exe 384 schtasks.exe 1508 schtasks.exe 1020 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 4363463463464363463463463.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\yq5gq5w9g_1.exe:1BB7FB68 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\yq5gq5w9g_1.exe:1BB7FB68 explorer.exe -
Runs regedit.exe 1 IoCs
pid Process 1796 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 920 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 920 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE 1076 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 360 explorer.exe 1480 svchost.exe 764 explorer.exe -
Suspicious behavior: MapViewOfSection 15 IoCs
pid Process 920 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 2092 820B.exe 2092 820B.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 2184 yq5gq5w9g_1.exe 2184 yq5gq5w9g_1.exe 764 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 764 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2376 4363463463464363463463463.exe Token: SeShutdownPrivilege 1076 Explorer.EXE Token: SeDebugPrivilege 1908 tungbot.exe Token: SeShutdownPrivilege 1076 Explorer.EXE Token: SeShutdownPrivilege 1076 Explorer.EXE Token: SeShutdownPrivilege 1076 Explorer.EXE Token: SeShutdownPrivilege 1076 Explorer.EXE Token: SeDebugPrivilege 2092 820B.exe Token: SeRestorePrivilege 2092 820B.exe Token: SeBackupPrivilege 2092 820B.exe Token: SeLoadDriverPrivilege 2092 820B.exe Token: SeCreatePagefilePrivilege 2092 820B.exe Token: SeShutdownPrivilege 2092 820B.exe Token: SeTakeOwnershipPrivilege 2092 820B.exe Token: SeChangeNotifyPrivilege 2092 820B.exe Token: SeCreateTokenPrivilege 2092 820B.exe Token: SeMachineAccountPrivilege 2092 820B.exe Token: SeSecurityPrivilege 2092 820B.exe Token: SeAssignPrimaryTokenPrivilege 2092 820B.exe Token: SeCreateGlobalPrivilege 2092 820B.exe Token: 33 2092 820B.exe Token: SeDebugPrivilege 764 explorer.exe Token: SeRestorePrivilege 764 explorer.exe Token: SeBackupPrivilege 764 explorer.exe Token: SeLoadDriverPrivilege 764 explorer.exe Token: SeCreatePagefilePrivilege 764 explorer.exe Token: SeShutdownPrivilege 764 explorer.exe Token: SeTakeOwnershipPrivilege 764 explorer.exe Token: SeChangeNotifyPrivilege 764 explorer.exe Token: SeCreateTokenPrivilege 764 explorer.exe Token: SeMachineAccountPrivilege 764 explorer.exe Token: SeSecurityPrivilege 764 explorer.exe Token: SeAssignPrimaryTokenPrivilege 764 explorer.exe Token: SeCreateGlobalPrivilege 764 explorer.exe Token: 33 764 explorer.exe Token: SeDebugPrivilege 2184 yq5gq5w9g_1.exe Token: SeRestorePrivilege 2184 yq5gq5w9g_1.exe Token: SeBackupPrivilege 2184 yq5gq5w9g_1.exe Token: SeLoadDriverPrivilege 2184 yq5gq5w9g_1.exe Token: SeCreatePagefilePrivilege 2184 yq5gq5w9g_1.exe Token: SeShutdownPrivilege 2184 yq5gq5w9g_1.exe Token: SeTakeOwnershipPrivilege 2184 yq5gq5w9g_1.exe Token: SeChangeNotifyPrivilege 2184 yq5gq5w9g_1.exe Token: SeCreateTokenPrivilege 2184 yq5gq5w9g_1.exe Token: SeMachineAccountPrivilege 2184 yq5gq5w9g_1.exe Token: SeSecurityPrivilege 2184 yq5gq5w9g_1.exe Token: SeAssignPrimaryTokenPrivilege 2184 yq5gq5w9g_1.exe Token: SeCreateGlobalPrivilege 2184 yq5gq5w9g_1.exe Token: 33 2184 yq5gq5w9g_1.exe Token: SeCreatePagefilePrivilege 2184 yq5gq5w9g_1.exe Token: SeCreatePagefilePrivilege 2184 yq5gq5w9g_1.exe Token: SeCreatePagefilePrivilege 2184 yq5gq5w9g_1.exe Token: SeCreatePagefilePrivilege 2184 yq5gq5w9g_1.exe Token: SeCreatePagefilePrivilege 2184 yq5gq5w9g_1.exe Token: SeDebugPrivilege 1796 regedit.exe Token: SeRestorePrivilege 1796 regedit.exe Token: SeBackupPrivilege 1796 regedit.exe Token: SeLoadDriverPrivilege 1796 regedit.exe Token: SeCreatePagefilePrivilege 1796 regedit.exe Token: SeShutdownPrivilege 1796 regedit.exe Token: SeTakeOwnershipPrivilege 1796 regedit.exe Token: SeChangeNotifyPrivilege 1796 regedit.exe Token: SeCreateTokenPrivilege 1796 regedit.exe Token: SeMachineAccountPrivilege 1796 regedit.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1624 tungbot.exe 1624 tungbot.exe 2016 icsys.icn.exe 2016 icsys.icn.exe 360 explorer.exe 360 explorer.exe 1212 spoolsv.exe 1212 spoolsv.exe 1480 svchost.exe 1480 svchost.exe 2220 spoolsv.exe 2220 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2988 2376 4363463463464363463463463.exe 29 PID 2376 wrote to memory of 2988 2376 4363463463464363463463463.exe 29 PID 2376 wrote to memory of 2988 2376 4363463463464363463463463.exe 29 PID 2376 wrote to memory of 2988 2376 4363463463464363463463463.exe 29 PID 2988 wrote to memory of 920 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 30 PID 2988 wrote to memory of 920 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 30 PID 2988 wrote to memory of 920 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 30 PID 2988 wrote to memory of 920 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 30 PID 2988 wrote to memory of 920 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 30 PID 2988 wrote to memory of 920 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 30 PID 2988 wrote to memory of 920 2988 029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe 30 PID 2376 wrote to memory of 1624 2376 4363463463464363463463463.exe 31 PID 2376 wrote to memory of 1624 2376 4363463463464363463463463.exe 31 PID 2376 wrote to memory of 1624 2376 4363463463464363463463463.exe 31 PID 2376 wrote to memory of 1624 2376 4363463463464363463463463.exe 31 PID 1624 wrote to memory of 1908 1624 tungbot.exe 42 PID 1624 wrote to memory of 1908 1624 tungbot.exe 42 PID 1624 wrote to memory of 1908 1624 tungbot.exe 42 PID 1624 wrote to memory of 1908 1624 tungbot.exe 42 PID 1624 wrote to memory of 2016 1624 tungbot.exe 40 PID 1624 wrote to memory of 2016 1624 tungbot.exe 40 PID 1624 wrote to memory of 2016 1624 tungbot.exe 40 PID 1624 wrote to memory of 2016 1624 tungbot.exe 40 PID 2016 wrote to memory of 360 2016 icsys.icn.exe 39 PID 2016 wrote to memory of 360 2016 icsys.icn.exe 39 PID 2016 wrote to memory of 360 2016 icsys.icn.exe 39 PID 2016 wrote to memory of 360 2016 icsys.icn.exe 39 PID 360 wrote to memory of 1212 360 explorer.exe 38 PID 360 wrote to memory of 1212 360 explorer.exe 38 PID 360 wrote to memory of 1212 360 explorer.exe 38 PID 360 wrote to memory of 1212 360 explorer.exe 38 PID 1212 wrote to memory of 1480 1212 spoolsv.exe 37 PID 1212 wrote to memory of 1480 1212 spoolsv.exe 37 PID 1212 wrote to memory of 1480 1212 spoolsv.exe 37 PID 1212 wrote to memory of 1480 1212 spoolsv.exe 37 PID 1480 wrote to memory of 2220 1480 svchost.exe 36 PID 1480 wrote to memory of 2220 1480 svchost.exe 36 PID 1480 wrote to memory of 2220 1480 svchost.exe 36 PID 1480 wrote to memory of 2220 1480 svchost.exe 36 PID 360 wrote to memory of 704 360 explorer.exe 35 PID 360 wrote to memory of 704 360 explorer.exe 35 PID 360 wrote to memory of 704 360 explorer.exe 35 PID 360 wrote to memory of 704 360 explorer.exe 35 PID 1480 wrote to memory of 952 1480 svchost.exe 34 PID 1480 wrote to memory of 952 1480 svchost.exe 34 PID 1480 wrote to memory of 952 1480 svchost.exe 34 PID 1480 wrote to memory of 952 1480 svchost.exe 34 PID 1076 wrote to memory of 2092 1076 Explorer.EXE 43 PID 1076 wrote to memory of 2092 1076 Explorer.EXE 43 PID 1076 wrote to memory of 2092 1076 Explorer.EXE 43 PID 1076 wrote to memory of 2092 1076 Explorer.EXE 43 PID 2092 wrote to memory of 764 2092 820B.exe 44 PID 2092 wrote to memory of 764 2092 820B.exe 44 PID 2092 wrote to memory of 764 2092 820B.exe 44 PID 2092 wrote to memory of 764 2092 820B.exe 44 PID 2092 wrote to memory of 764 2092 820B.exe 44 PID 2092 wrote to memory of 764 2092 820B.exe 44 PID 2092 wrote to memory of 764 2092 820B.exe 44 PID 1076 wrote to memory of 1652 1076 Explorer.EXE 45 PID 1076 wrote to memory of 1652 1076 Explorer.EXE 45 PID 1076 wrote to memory of 1652 1076 Explorer.EXE 45 PID 1076 wrote to memory of 1652 1076 Explorer.EXE 45 PID 764 wrote to memory of 1048 764 explorer.exe 11 PID 764 wrote to memory of 1048 764 explorer.exe 11 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:920
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tungbot.exe"C:\Users\Admin\AppData\Local\Temp\Files\tungbot.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
-
-
\??\c:\users\admin\appdata\local\temp\files\tungbot.exeÂc:\users\admin\appdata\local\temp\files\tungbot.exeÂ3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\820B.exeC:\Users\Admin\AppData\Local\Temp\820B.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\yq5gq5w9g_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\YQ5GQ5~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:1668
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\88E0.exeC:\Users\Admin\AppData\Local\Temp\88E0.exe2⤵
- Executes dropped EXE
PID:1652
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1048
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "472501478-17560842061159201298-807526899-1304761887-177182992-53831024934065425"1⤵PID:2348
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:47 /f1⤵
- Creates scheduled task(s)
PID:952
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe1⤵PID:704
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2220
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe1⤵
- Modifies visiblity of hidden/system files in Explorer
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:48 /f2⤵
- Creates scheduled task(s)
PID:2432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:49 /f2⤵
- Creates scheduled task(s)
PID:3000
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:50 /f2⤵
- Creates scheduled task(s)
PID:2188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:51 /f2⤵
- Creates scheduled task(s)
PID:708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:52 /f2⤵
- Creates scheduled task(s)
PID:2440
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:53 /f2⤵
- Creates scheduled task(s)
PID:2404
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:54 /f2⤵
- Creates scheduled task(s)
PID:2476
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:55 /f2⤵
- Creates scheduled task(s)
PID:1868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:56 /f2⤵
- Creates scheduled task(s)
PID:2972
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:57 /f2⤵
- Creates scheduled task(s)
PID:2708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:58 /f2⤵
- Creates scheduled task(s)
PID:384
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:59 /f2⤵
- Creates scheduled task(s)
PID:2524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:00 /f2⤵
- Creates scheduled task(s)
PID:2764
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:01 /f2⤵
- Creates scheduled task(s)
PID:1508
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:02 /f2⤵
- Creates scheduled task(s)
PID:2688
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:03 /f2⤵
- Creates scheduled task(s)
PID:2032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:04 /f2⤵
- Creates scheduled task(s)
PID:332
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:05 /f2⤵
- Creates scheduled task(s)
PID:1020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:06 /f2⤵
- Creates scheduled task(s)
PID:2948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:07 /f2⤵
- Creates scheduled task(s)
PID:3056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:08 /f2⤵
- Creates scheduled task(s)
PID:1220
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:09 /f2⤵
- Creates scheduled task(s)
PID:1728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:10 /f2⤵
- Creates scheduled task(s)
PID:2964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:11 /f2⤵
- Creates scheduled task(s)
PID:3012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:12 /f2⤵
- Creates scheduled task(s)
PID:792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:13 /f2⤵
- Creates scheduled task(s)
PID:540
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:14 /f2⤵
- Creates scheduled task(s)
PID:1312
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:15 /f2⤵
- Creates scheduled task(s)
PID:1256
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:16 /f2⤵
- Creates scheduled task(s)
PID:1004
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe1⤵
- Modifies visiblity of hidden/system files in Explorer
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-914293300-17135332372586670591590564870598558581364419885-884217118-798457496"1⤵PID:2008
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2488
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
10Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
11KB
MD59d72032ce10591a37e4f6940e009a8c7
SHA1426c267a63088798b5175ab5ed30bc003c0880ba
SHA256a4cc0543a98e8e316f0f041011bc27c6af01dbf3e2f8be3ed438bbcd1a43ec7b
SHA512f84003f29bbab3ed060358884079cf90c1a19831aa9b82a0d0b1994e616579d8771786a0bc468f503152d1d1974e4915dac517e3365a5b5a15729626fdfbd39c
-
Filesize
32KB
MD589fe708515deb9c5789255983d674fb1
SHA15525cdda09db115a40dc7191cd82294dec99c358
SHA256ec8522188ac2286f1547591293bc4f43764240ee63353afaf692458f8a44b1d8
SHA5120202f59e6ffe95058608f0dd6d1d96b3b5d755e11cfc85437b78353160dc8308b246263da1fdf65ac0f5b83853f1e38e986f112a69be5d3b5f70a90381d2aeb8
-
Filesize
28KB
MD508a51772adab18623948521a46185b49
SHA197c65de8e5847e4e00e4cd120601929dd4831a47
SHA256dc7fca5cea7a5a9af4a5d3af27f93149054c43228a68e28d5480acfaae59a805
SHA512ad27db68df0b2f27f2b980985f73986705efef747bd659e3c434eb584493a543bfc0d39913b5158627276962d5825e169b286c055d4e62dc03f9053f6fd05c6d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
93KB
MD55b99cd7e41c624a5a1a3d65e1b69b056
SHA19c1f9e7b65b05bf40db5ba88bb83c954874715bc
SHA25671c19357df3cf001e5e0d84deb11498fd74ef3b8b1c27f4c0c8a1026e869b2de
SHA51291a159a8462a5d940aa72f6de1be18102dbae3d96294dc0edeab0d0eb6b34cefc3c8272445a8987323d6db5545cc886fd4088f1ed78b17150dc6ced8e18ab1e7
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
88KB
MD54359f8523778cfd0ec3e2ac4132f2e92
SHA1bd3ab503ce1335572eb4807487091196adf2b29f
SHA256b6c1ce8eff33c31855dd73d64c20308c5cf80010ab8713caaf1d703ddc89c0eb
SHA51214827e3b245d66e141beb4cb3544a0bcb0614c012989e19753cfd78811c87ba4fc0e992d55fc93d7fda3a71436d389bb2814b84597d5845d94e6afc9916e12c1
-
Filesize
99KB
MD5a4979638b247751333d486aeb7481228
SHA14d8e13846df61c250d35c75a66987a3288db717b
SHA256bc929754d1fee83d4faa1cefb6bc48e8304ff125606972962daa0799973df8b8
SHA5127bed8a3c210f4a7e280ce14baea20af43f08754b1670803fdc3257954f4564c1cfbb9c227a5a5bc11ce63500b3abbaa333cac13476f36b5c543d24cfa5b15ba6
-
Filesize
135KB
MD5f4de2e51b9fef6ae1caf003db37cc1eb
SHA11edfcf4952f083bce1fbd2b4e26380b51bc9656a
SHA2568df2bf29bd826418a29c5801111666b58dd6b548903935e472a66e635d6c61b6
SHA51236a994cab9ef1a898c9dd67dea5a4d1d63eee481debb4645a4f2177c7a83cfd8c8579acae45c2c1ac7f8c05daab1d3fd4bceb4572c55341452ac117c793b937d
-
Filesize
20KB
MD5d89de3f600b622fb8a09468dc3f87632
SHA1c4e8673fb71105ce96f9f7925b723bc2e587b002
SHA256d970702fbe2b869af37ae0876372f084859461fab738930a8dd8be6df795eb38
SHA512db4dbb9e9b40ac51d2169f5f1a9ed24fe13f49f8e3403f71b167f4f43ae2a5adacb188adf43b3ed6a1116a2fdaf462d366ed6d622a2b92234a54c8bb6efc9034
-
Filesize
135KB
MD5084ec49bd1c825bcbbe00bf85f49a78e
SHA1b553957a320d527cb669c7c1079f879fc8f0d8f4
SHA256a666805ef2e56f676790a2ede0da6c71a780bec2e6425368775eb1758fca6405
SHA512c717d82eafab34300f9aef1f7dd291e0298c947d54db863f265505b590c126155f5ee8937b7fbe35b5748b9bd079745319ca5856e1a79d22eea7b4df37c8d1c1
-
\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe
Filesize195KB
MD51d3eda04f0c2f84002d479177a9a0dc1
SHA17289fcbbb18de90735af84b5c99818cd5411c87f
SHA256029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31
SHA5121c73e74e31ee730b2dfade6e700f66b94cc15bf4167427ca4a9b3a1b5132e168a73276d6ccba0602b6ba37c3cc72312f06a9c42a6a731175a4daf72307783c94
-
Filesize
234KB
MD595955f84fedd9d7cb867638e65f6911b
SHA149ab9fbe607129d70702cee541133002b3b9e15b
SHA25652de83987941b92875cecdd1661cc2757eae4f02ef564fd2e147d06eb9d8ab44
SHA512082ff0e782c83e4d3973dd622de4091be9db939b73f867cb064f03125da06dd4946923cb0f63f587f32126736130d7ca87cd72257cb3bb13f52ce0618133bce7
-
Filesize
135KB
MD5a810d1f630c1cba0f167fb28dc6e47af
SHA1d8f911ec145f9f8f12eec5b494924502f2db07a8
SHA256ad19128128e1e12d7bd15141bdf2f5d90ea0c36d9df33d23778536fa0dfaabf2
SHA5126d0c8b5049be44be6f3655aad6050a44daaead7fde6c5e2577618fac620abc7ed8c5c62bc443f4d955c8d0105e029f0e0c5f9972e1ca29dc0fe7d825df5c8ef5
-
Filesize
135KB
MD5224511f1f5b60cdce77fe83505762522
SHA161cc340bf7f81b947a390466a2c57a6619177b47
SHA256c2c2c8a2942c3897c2c72a93f802c0dee49c65785dbe0a6647d71efbac85fb90
SHA51201362be5fd9f5e10fe8abe917ece18a004f1004e0226996b045487d280a34a173bd623a416fe54a01768d70aa290525162a5a4ab28c1c51dbd016d854f891856