Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-01-2024 01:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
toolspub2.exe
Resource
win7-20231215-en
windows7-x64
32 signatures
150 seconds
Behavioral task
behavioral2
Sample
toolspub2.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
toolspub2.exe
-
Size
255KB
-
MD5
981b36d1cfeefa91f3ef5332922cdd8d
-
SHA1
b8a6b27e011a503755c6df2501039edb82b092aa
-
SHA256
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a
-
SHA512
e0932850586027a24b8d8d7a3fbbaf4fc466a89cc4382ca1fb31847b5c201df3855f31e7208c577cc7907e5af0792abff0092941774cf3b4a27256440ba0d7c2
-
SSDEEP
3072:2lrJL/wx7/zm4XobcY66bIjWMHGZ4jnz2fbqbzx5h+4Wy601:23L/wxf9Y6mIjN/nmI+4W1
Malware Config
Extracted
Family
smokeloader
Botnet
up3
Extracted
Family
smokeloader
Version
2020
C2
http://host-file-host6.com/
http://host-host-file8.com/
rc4.i32
rc4.i32
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 95a7cw97ggq5_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 95a7cw97ggq5_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile 95a7cw97ggq5_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" 95a7cw97ggq5_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "zwkggwuzvjx.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe 95a7cw97ggq5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "anfdmooirbr.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\95a7cw97ggq5.exe\DisableExceptionChainValidation 78B9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "epbf.exe" 95a7cw97ggq5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe 95a7cw97ggq5_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "fgox.exe" 95a7cw97ggq5_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "nraktrc.exe" 95a7cw97ggq5_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "kftn.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe 95a7cw97ggq5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe 95a7cw97ggq5_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "irmb.exe" 95a7cw97ggq5_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "zghhtplizzv.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\95a7cw97ggq5.exe 78B9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "mbls.exe" 95a7cw97ggq5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe 95a7cw97ggq5_1.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
pid Process 1208 Explorer.EXE -
Executes dropped EXE 3 IoCs
pid Process 2396 78B9.exe 2916 80A6.exe 320 95a7cw97ggq5_1.exe -
Loads dropped DLL 1 IoCs
pid Process 2780 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\95a7cw97ggq5.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\95a7cw97ggq5.exe\"" explorer.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService 95a7cw97ggq5_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus 95a7cw97ggq5_1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 78B9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95a7cw97ggq5_1.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2396 78B9.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 320 95a7cw97ggq5_1.exe -
NSIS installer 3 IoCs
resource yara_rule behavioral1/files/0x000b0000000146c8-52.dat nsis_installer_2 behavioral1/files/0x000b0000000146c8-54.dat nsis_installer_2 behavioral1/files/0x000b0000000146c8-53.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 95a7cw97ggq5_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 95a7cw97ggq5_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 78B9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 78B9.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2976 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\95a7cw97ggq5_1.exe:1BB7FB68 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\95a7cw97ggq5_1.exe:1BB7FB68 explorer.exe -
Runs regedit.exe 1 IoCs
pid Process 900 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2444 toolspub2.exe 2444 toolspub2.exe 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2444 toolspub2.exe 2396 78B9.exe 2396 78B9.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 320 95a7cw97ggq5_1.exe 320 95a7cw97ggq5_1.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 2396 78B9.exe Token: SeRestorePrivilege 2396 78B9.exe Token: SeBackupPrivilege 2396 78B9.exe Token: SeLoadDriverPrivilege 2396 78B9.exe Token: SeCreatePagefilePrivilege 2396 78B9.exe Token: SeShutdownPrivilege 2396 78B9.exe Token: SeTakeOwnershipPrivilege 2396 78B9.exe Token: SeChangeNotifyPrivilege 2396 78B9.exe Token: SeCreateTokenPrivilege 2396 78B9.exe Token: SeMachineAccountPrivilege 2396 78B9.exe Token: SeSecurityPrivilege 2396 78B9.exe Token: SeAssignPrimaryTokenPrivilege 2396 78B9.exe Token: SeCreateGlobalPrivilege 2396 78B9.exe Token: 33 2396 78B9.exe Token: SeDebugPrivilege 2780 explorer.exe Token: SeRestorePrivilege 2780 explorer.exe Token: SeBackupPrivilege 2780 explorer.exe Token: SeLoadDriverPrivilege 2780 explorer.exe Token: SeCreatePagefilePrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeTakeOwnershipPrivilege 2780 explorer.exe Token: SeChangeNotifyPrivilege 2780 explorer.exe Token: SeCreateTokenPrivilege 2780 explorer.exe Token: SeMachineAccountPrivilege 2780 explorer.exe Token: SeSecurityPrivilege 2780 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2780 explorer.exe Token: SeCreateGlobalPrivilege 2780 explorer.exe Token: 33 2780 explorer.exe Token: SeDebugPrivilege 320 95a7cw97ggq5_1.exe Token: SeRestorePrivilege 320 95a7cw97ggq5_1.exe Token: SeBackupPrivilege 320 95a7cw97ggq5_1.exe Token: SeLoadDriverPrivilege 320 95a7cw97ggq5_1.exe Token: SeCreatePagefilePrivilege 320 95a7cw97ggq5_1.exe Token: SeShutdownPrivilege 320 95a7cw97ggq5_1.exe Token: SeTakeOwnershipPrivilege 320 95a7cw97ggq5_1.exe Token: SeChangeNotifyPrivilege 320 95a7cw97ggq5_1.exe Token: SeCreateTokenPrivilege 320 95a7cw97ggq5_1.exe Token: SeMachineAccountPrivilege 320 95a7cw97ggq5_1.exe Token: SeSecurityPrivilege 320 95a7cw97ggq5_1.exe Token: SeAssignPrimaryTokenPrivilege 320 95a7cw97ggq5_1.exe Token: SeCreateGlobalPrivilege 320 95a7cw97ggq5_1.exe Token: 33 320 95a7cw97ggq5_1.exe Token: SeCreatePagefilePrivilege 320 95a7cw97ggq5_1.exe Token: SeCreatePagefilePrivilege 320 95a7cw97ggq5_1.exe Token: SeCreatePagefilePrivilege 320 95a7cw97ggq5_1.exe Token: SeCreatePagefilePrivilege 320 95a7cw97ggq5_1.exe Token: SeCreatePagefilePrivilege 320 95a7cw97ggq5_1.exe Token: SeDebugPrivilege 900 regedit.exe Token: SeRestorePrivilege 900 regedit.exe Token: SeBackupPrivilege 900 regedit.exe Token: SeLoadDriverPrivilege 900 regedit.exe Token: SeCreatePagefilePrivilege 900 regedit.exe Token: SeShutdownPrivilege 900 regedit.exe Token: SeTakeOwnershipPrivilege 900 regedit.exe Token: SeChangeNotifyPrivilege 900 regedit.exe Token: SeCreateTokenPrivilege 900 regedit.exe Token: SeMachineAccountPrivilege 900 regedit.exe Token: SeSecurityPrivilege 900 regedit.exe Token: SeAssignPrimaryTokenPrivilege 900 regedit.exe Token: SeCreateGlobalPrivilege 900 regedit.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1208 wrote to memory of 2396 1208 Explorer.EXE 28 PID 1208 wrote to memory of 2396 1208 Explorer.EXE 28 PID 1208 wrote to memory of 2396 1208 Explorer.EXE 28 PID 1208 wrote to memory of 2396 1208 Explorer.EXE 28 PID 2396 wrote to memory of 2780 2396 78B9.exe 29 PID 2396 wrote to memory of 2780 2396 78B9.exe 29 PID 2396 wrote to memory of 2780 2396 78B9.exe 29 PID 2396 wrote to memory of 2780 2396 78B9.exe 29 PID 2396 wrote to memory of 2780 2396 78B9.exe 29 PID 2396 wrote to memory of 2780 2396 78B9.exe 29 PID 2396 wrote to memory of 2780 2396 78B9.exe 29 PID 1208 wrote to memory of 2916 1208 Explorer.EXE 30 PID 1208 wrote to memory of 2916 1208 Explorer.EXE 30 PID 1208 wrote to memory of 2916 1208 Explorer.EXE 30 PID 1208 wrote to memory of 2916 1208 Explorer.EXE 30 PID 2780 wrote to memory of 1172 2780 explorer.exe 8 PID 2780 wrote to memory of 1172 2780 explorer.exe 8 PID 2780 wrote to memory of 1172 2780 explorer.exe 8 PID 2780 wrote to memory of 1172 2780 explorer.exe 8 PID 2780 wrote to memory of 1172 2780 explorer.exe 8 PID 2780 wrote to memory of 1172 2780 explorer.exe 8 PID 2780 wrote to memory of 1208 2780 explorer.exe 7 PID 2780 wrote to memory of 1208 2780 explorer.exe 7 PID 2780 wrote to memory of 1208 2780 explorer.exe 7 PID 2780 wrote to memory of 1208 2780 explorer.exe 7 PID 2780 wrote to memory of 1208 2780 explorer.exe 7 PID 2780 wrote to memory of 1208 2780 explorer.exe 7 PID 2780 wrote to memory of 2752 2780 explorer.exe 31 PID 2780 wrote to memory of 2752 2780 explorer.exe 31 PID 2780 wrote to memory of 2752 2780 explorer.exe 31 PID 2780 wrote to memory of 2752 2780 explorer.exe 31 PID 2780 wrote to memory of 2752 2780 explorer.exe 31 PID 2780 wrote to memory of 2752 2780 explorer.exe 31 PID 2780 wrote to memory of 320 2780 explorer.exe 32 PID 2780 wrote to memory of 320 2780 explorer.exe 32 PID 2780 wrote to memory of 320 2780 explorer.exe 32 PID 2780 wrote to memory of 320 2780 explorer.exe 32 PID 2780 wrote to memory of 320 2780 explorer.exe 32 PID 2780 wrote to memory of 320 2780 explorer.exe 32 PID 2780 wrote to memory of 320 2780 explorer.exe 32 PID 320 wrote to memory of 900 320 95a7cw97ggq5_1.exe 33 PID 320 wrote to memory of 900 320 95a7cw97ggq5_1.exe 33 PID 320 wrote to memory of 900 320 95a7cw97ggq5_1.exe 33 PID 320 wrote to memory of 900 320 95a7cw97ggq5_1.exe 33 PID 320 wrote to memory of 900 320 95a7cw97ggq5_1.exe 33 PID 320 wrote to memory of 900 320 95a7cw97ggq5_1.exe 33 PID 320 wrote to memory of 900 320 95a7cw97ggq5_1.exe 33 PID 320 wrote to memory of 2976 320 95a7cw97ggq5_1.exe 34 PID 320 wrote to memory of 2976 320 95a7cw97ggq5_1.exe 34 PID 320 wrote to memory of 2976 320 95a7cw97ggq5_1.exe 34 PID 320 wrote to memory of 2976 320 95a7cw97ggq5_1.exe 34 PID 320 wrote to memory of 2976 320 95a7cw97ggq5_1.exe 34 PID 320 wrote to memory of 2976 320 95a7cw97ggq5_1.exe 34 PID 320 wrote to memory of 2976 320 95a7cw97ggq5_1.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2444
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\78B9.exeC:\Users\Admin\AppData\Local\Temp\78B9.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\95a7cw97ggq5_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\95A7CW~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:2976
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\80A6.exeC:\Users\Admin\AppData\Local\Temp\80A6.exe2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2752
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
207KB
MD58487df43e8a4dff97a05b056d2c80190
SHA1094fc29aa1370b904037ec8f66368b15e54e1c76
SHA25663316750092523126fa38e1016b2006b4e9fdffc2be839a44e865b2ab0977cb6
SHA5129c90cc943b6f2e6f0e31a6c8f81fce4685d5a8953cf5de2649c5e24a47b92af91e9dadace32b16540487b131f4f820b7784860f31d67f1b3f32c90a5d066f553
-
Filesize
322KB
MD5a1899b3f2cd973ea58b024a3a62251a0
SHA1e3efeca9ed6b3e792349bd6cdb5a79d9caaea3b2
SHA256431c2c18725958502c4f5dcfc43011c558ccf8e1bb823be723014739fc2365b1
SHA512d6ce58da8413ddf62194a6afd991ba6307f26cb933b1e50d65025045607e3bdd90e13dbbfe793274c2787d2deed973a949219c8b731b2f1cdfd5770996c1af2e
-
Filesize
71KB
MD577ba816839bc3ecf1624022a03b94de9
SHA13bf069a5deb9b8232d99e8401146a8979f06518b
SHA256cec4c8dd7bd096b5ef7fac496fa689d840b86429e74eeae64f4e9da252356203
SHA512d0cbacd75918d569658bca9038c4e4111fe9b4e008527ab6564802e238fcc38593ae4a28815f12e7cdc8ac247f0082e175932fd1a59b72f83ee251fb21ee67ac
-
Filesize
255KB
MD5981b36d1cfeefa91f3ef5332922cdd8d
SHA1b8a6b27e011a503755c6df2501039edb82b092aa
SHA256461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a
SHA512e0932850586027a24b8d8d7a3fbbaf4fc466a89cc4382ca1fb31847b5c201df3855f31e7208c577cc7907e5af0792abff0092941774cf3b4a27256440ba0d7c2