Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14-01-2024 04:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fbec4956a178bb65221cf87ab537b828.exe
Resource
win7-20231215-en
windows7-x64
33 signatures
150 seconds
Behavioral task
behavioral2
Sample
fbec4956a178bb65221cf87ab537b828.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
fbec4956a178bb65221cf87ab537b828.exe
-
Size
207KB
-
MD5
fbec4956a178bb65221cf87ab537b828
-
SHA1
5e587f1f30a712e45b35e451af167a5ba54f508d
-
SHA256
f22e8c6027000f421c70d5733ff537d1e2e49deb5cc1d6ad3287175dffc2668e
-
SHA512
805d8ac96078aa598e2cd562e60748aeb9f36710490015d3203f309d26f341795fd1a3c82e28cb828947ff99777985fd00a540d3e1f42edd0b471a0739f8a490
-
SSDEEP
3072:Bo/htLJYeiJiiKVYgTemVAJny/8WyrtD7wmxRivBL2A:uTLJYefYgT/AByyug
Malware Config
Extracted
Family
smokeloader
Botnet
pub1
Extracted
Family
smokeloader
Version
2020
C2
http://host-file-host6.com/
http://host-host-file8.com/
rc4.i32
rc4.i32
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile 7eqy31o99_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" 7eqy31o99_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 7eqy31o99_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7eqy31o99_1.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7eqy31o99.exe\DisableExceptionChainValidation 9CEB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe 7eqy31o99_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "qryxmojbmlu.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "qrpggenvfhs.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "jnxeulz.exe" 7eqy31o99_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "nohmz.exe" 7eqy31o99_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "tiloc.exe" 7eqy31o99_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "mgzap.exe" 7eqy31o99_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe 7eqy31o99_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "bkrxqyr.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe 7eqy31o99_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "vnnde.exe" 7eqy31o99_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7eqy31o99.exe 9CEB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe 7eqy31o99_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe 7eqy31o99_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "xykmebudzoe.exe" regedit.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
pid Process 1272 Explorer.EXE -
Executes dropped EXE 3 IoCs
pid Process 2804 9CEB.exe 2648 A5A3.exe 2772 7eqy31o99_1.exe -
Loads dropped DLL 1 IoCs
pid Process 2872 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\7eqy31o99.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7eqy31o99.exe\"" explorer.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService 7eqy31o99_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus 7eqy31o99_1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9CEB.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7eqy31o99_1.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2804 9CEB.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2772 7eqy31o99_1.exe -
NSIS installer 3 IoCs
resource yara_rule behavioral1/files/0x0013000000015c2f-43.dat nsis_installer_2 behavioral1/files/0x0013000000015c2f-38.dat nsis_installer_2 behavioral1/files/0x0013000000015c2f-45.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fbec4956a178bb65221cf87ab537b828.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fbec4956a178bb65221cf87ab537b828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fbec4956a178bb65221cf87ab537b828.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7eqy31o99_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9CEB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9CEB.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7eqy31o99_1.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2036 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\7eqy31o99_1.exe:1BB7FB68 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\7eqy31o99_1.exe:1BB7FB68 explorer.exe -
Runs regedit.exe 1 IoCs
pid Process 320 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2440 fbec4956a178bb65221cf87ab537b828.exe 2440 fbec4956a178bb65221cf87ab537b828.exe 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2440 fbec4956a178bb65221cf87ab537b828.exe 2804 9CEB.exe 2804 9CEB.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2772 7eqy31o99_1.exe 2772 7eqy31o99_1.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 2804 9CEB.exe Token: SeRestorePrivilege 2804 9CEB.exe Token: SeBackupPrivilege 2804 9CEB.exe Token: SeLoadDriverPrivilege 2804 9CEB.exe Token: SeCreatePagefilePrivilege 2804 9CEB.exe Token: SeShutdownPrivilege 2804 9CEB.exe Token: SeTakeOwnershipPrivilege 2804 9CEB.exe Token: SeChangeNotifyPrivilege 2804 9CEB.exe Token: SeCreateTokenPrivilege 2804 9CEB.exe Token: SeMachineAccountPrivilege 2804 9CEB.exe Token: SeSecurityPrivilege 2804 9CEB.exe Token: SeAssignPrimaryTokenPrivilege 2804 9CEB.exe Token: SeCreateGlobalPrivilege 2804 9CEB.exe Token: 33 2804 9CEB.exe Token: SeDebugPrivilege 2872 explorer.exe Token: SeRestorePrivilege 2872 explorer.exe Token: SeBackupPrivilege 2872 explorer.exe Token: SeLoadDriverPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeTakeOwnershipPrivilege 2872 explorer.exe Token: SeChangeNotifyPrivilege 2872 explorer.exe Token: SeCreateTokenPrivilege 2872 explorer.exe Token: SeMachineAccountPrivilege 2872 explorer.exe Token: SeSecurityPrivilege 2872 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2872 explorer.exe Token: SeCreateGlobalPrivilege 2872 explorer.exe Token: 33 2872 explorer.exe Token: SeDebugPrivilege 2772 7eqy31o99_1.exe Token: SeRestorePrivilege 2772 7eqy31o99_1.exe Token: SeBackupPrivilege 2772 7eqy31o99_1.exe Token: SeLoadDriverPrivilege 2772 7eqy31o99_1.exe Token: SeCreatePagefilePrivilege 2772 7eqy31o99_1.exe Token: SeShutdownPrivilege 2772 7eqy31o99_1.exe Token: SeTakeOwnershipPrivilege 2772 7eqy31o99_1.exe Token: SeChangeNotifyPrivilege 2772 7eqy31o99_1.exe Token: SeCreateTokenPrivilege 2772 7eqy31o99_1.exe Token: SeMachineAccountPrivilege 2772 7eqy31o99_1.exe Token: SeSecurityPrivilege 2772 7eqy31o99_1.exe Token: SeAssignPrimaryTokenPrivilege 2772 7eqy31o99_1.exe Token: SeCreateGlobalPrivilege 2772 7eqy31o99_1.exe Token: 33 2772 7eqy31o99_1.exe Token: SeCreatePagefilePrivilege 2772 7eqy31o99_1.exe Token: SeCreatePagefilePrivilege 2772 7eqy31o99_1.exe Token: SeCreatePagefilePrivilege 2772 7eqy31o99_1.exe Token: SeCreatePagefilePrivilege 2772 7eqy31o99_1.exe Token: SeCreatePagefilePrivilege 2772 7eqy31o99_1.exe Token: SeDebugPrivilege 320 regedit.exe Token: SeRestorePrivilege 320 regedit.exe Token: SeBackupPrivilege 320 regedit.exe Token: SeLoadDriverPrivilege 320 regedit.exe Token: SeCreatePagefilePrivilege 320 regedit.exe Token: SeShutdownPrivilege 320 regedit.exe Token: SeTakeOwnershipPrivilege 320 regedit.exe Token: SeChangeNotifyPrivilege 320 regedit.exe Token: SeCreateTokenPrivilege 320 regedit.exe Token: SeMachineAccountPrivilege 320 regedit.exe Token: SeSecurityPrivilege 320 regedit.exe Token: SeAssignPrimaryTokenPrivilege 320 regedit.exe Token: SeCreateGlobalPrivilege 320 regedit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2804 1272 Explorer.EXE 28 PID 1272 wrote to memory of 2804 1272 Explorer.EXE 28 PID 1272 wrote to memory of 2804 1272 Explorer.EXE 28 PID 1272 wrote to memory of 2804 1272 Explorer.EXE 28 PID 2804 wrote to memory of 2872 2804 9CEB.exe 29 PID 2804 wrote to memory of 2872 2804 9CEB.exe 29 PID 2804 wrote to memory of 2872 2804 9CEB.exe 29 PID 2804 wrote to memory of 2872 2804 9CEB.exe 29 PID 2804 wrote to memory of 2872 2804 9CEB.exe 29 PID 2804 wrote to memory of 2872 2804 9CEB.exe 29 PID 2804 wrote to memory of 2872 2804 9CEB.exe 29 PID 1272 wrote to memory of 2648 1272 Explorer.EXE 30 PID 1272 wrote to memory of 2648 1272 Explorer.EXE 30 PID 1272 wrote to memory of 2648 1272 Explorer.EXE 30 PID 1272 wrote to memory of 2648 1272 Explorer.EXE 30 PID 2872 wrote to memory of 1228 2872 explorer.exe 15 PID 2872 wrote to memory of 1228 2872 explorer.exe 15 PID 2872 wrote to memory of 1228 2872 explorer.exe 15 PID 2872 wrote to memory of 1228 2872 explorer.exe 15 PID 2872 wrote to memory of 1228 2872 explorer.exe 15 PID 2872 wrote to memory of 1228 2872 explorer.exe 15 PID 2872 wrote to memory of 1272 2872 explorer.exe 14 PID 2872 wrote to memory of 1272 2872 explorer.exe 14 PID 2872 wrote to memory of 1272 2872 explorer.exe 14 PID 2872 wrote to memory of 1272 2872 explorer.exe 14 PID 2872 wrote to memory of 1272 2872 explorer.exe 14 PID 2872 wrote to memory of 1272 2872 explorer.exe 14 PID 2872 wrote to memory of 2136 2872 explorer.exe 33 PID 2872 wrote to memory of 2136 2872 explorer.exe 33 PID 2872 wrote to memory of 2136 2872 explorer.exe 33 PID 2872 wrote to memory of 2136 2872 explorer.exe 33 PID 2872 wrote to memory of 2136 2872 explorer.exe 33 PID 2872 wrote to memory of 2136 2872 explorer.exe 33 PID 2872 wrote to memory of 2772 2872 explorer.exe 34 PID 2872 wrote to memory of 2772 2872 explorer.exe 34 PID 2872 wrote to memory of 2772 2872 explorer.exe 34 PID 2872 wrote to memory of 2772 2872 explorer.exe 34 PID 2872 wrote to memory of 2772 2872 explorer.exe 34 PID 2872 wrote to memory of 2772 2872 explorer.exe 34 PID 2872 wrote to memory of 2772 2872 explorer.exe 34 PID 2772 wrote to memory of 320 2772 7eqy31o99_1.exe 35 PID 2772 wrote to memory of 320 2772 7eqy31o99_1.exe 35 PID 2772 wrote to memory of 320 2772 7eqy31o99_1.exe 35 PID 2772 wrote to memory of 320 2772 7eqy31o99_1.exe 35 PID 2772 wrote to memory of 320 2772 7eqy31o99_1.exe 35 PID 2772 wrote to memory of 320 2772 7eqy31o99_1.exe 35 PID 2772 wrote to memory of 320 2772 7eqy31o99_1.exe 35 PID 2772 wrote to memory of 2036 2772 7eqy31o99_1.exe 36 PID 2772 wrote to memory of 2036 2772 7eqy31o99_1.exe 36 PID 2772 wrote to memory of 2036 2772 7eqy31o99_1.exe 36 PID 2772 wrote to memory of 2036 2772 7eqy31o99_1.exe 36 PID 2772 wrote to memory of 2036 2772 7eqy31o99_1.exe 36 PID 2772 wrote to memory of 2036 2772 7eqy31o99_1.exe 36 PID 2772 wrote to memory of 2036 2772 7eqy31o99_1.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\fbec4956a178bb65221cf87ab537b828.exe"C:\Users\Admin\AppData\Local\Temp\fbec4956a178bb65221cf87ab537b828.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\9CEB.exeC:\Users\Admin\AppData\Local\Temp\9CEB.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\7eqy31o99_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\7EQY31~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:2036
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A5A3.exeC:\Users\Admin\AppData\Local\Temp\A5A3.exe2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1228
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
1.1MB
MD59ee910443ac686e2827e43c2c735e9bf
SHA13951d2e19deb0e82af889cc15aa4dedb67cc7135
SHA2561d6f5fe28521dfd20adeec5175ecce4741170bbcda84d55d2f13bca269895e69
SHA512416c25156bc8749bafa855895464d1d33d2d4b71baae4e172d839bc445f5a191440e388ad3ee1b7345cbc0b59d8b42c22ef4ab9e1dffda7ee4726bef22ec1476
-
Filesize
1.4MB
MD551f49a3a264f9b6fd7388591bc8e5fcc
SHA1176b9c92c3f0692d917abb9c54fc389b355b2b4d
SHA256236eb66f48802c490cb2f6264d1189194a27859c5da529b49447a23708f0779a
SHA51286ffbb87380e2fe1195613bd712449f4a3b63408d101df015faf81c91f5fe6b3e0bd30d444b5800853e191ec5bfa5d4648c67709bff7cc35c0bc40ff46514186
-
Filesize
559KB
MD587e2f38dc0ef3a83847882cbf27b5d4e
SHA14ff49e5f64bdc7c9c999f70af4c311a4d29159eb
SHA256cb22a159c79849ae358599bbf180ae2f28ff8c83ce27164a42d9ad066fa87eb9
SHA5128ba6c1b8dc32ddafef9e9f6d4cf80601cbdea9b3bca8f48982f4d5c240681652cfcf8ffc5325edc406f39252afb6bf5f1af0972fcaa5c1ccb7a6bbc32157c584
-
Filesize
207KB
MD5fbec4956a178bb65221cf87ab537b828
SHA15e587f1f30a712e45b35e451af167a5ba54f508d
SHA256f22e8c6027000f421c70d5733ff537d1e2e49deb5cc1d6ad3287175dffc2668e
SHA512805d8ac96078aa598e2cd562e60748aeb9f36710490015d3203f309d26f341795fd1a3c82e28cb828947ff99777985fd00a540d3e1f42edd0b471a0739f8a490