Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 04:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6eb66417d2421609dd31a36683513601.exe
Resource
win7-20231215-en
windows7-x64
32 signatures
150 seconds
Behavioral task
behavioral2
Sample
6eb66417d2421609dd31a36683513601.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
28 signatures
150 seconds
General
-
Target
6eb66417d2421609dd31a36683513601.exe
-
Size
264KB
-
MD5
6eb66417d2421609dd31a36683513601
-
SHA1
ded3739ab047f40b680a48784404d622091e69ba
-
SHA256
9f5f03cbcbc7210125928f059fc4bee2618b151b98b468f703c5207d57d0e3c1
-
SHA512
a64368c591651a02c08c6c63ecd61ae04dd22e5220c1d5192176af7844cfd2d58c489b471d90cc5c97fb9ff91056c4c014695417218ca6a3179c967618a799fe
-
SSDEEP
3072:QkEQ3uXFjViudXwDOe7FWlUYsohx0uFwih7IxSqE6pWD0ajzz8ZOLz6GEdfoDPOM:QkEZXFj8jDOe7w1b700uWwKEwsf+Gbo
Malware Config
Extracted
Family
smokeloader
Botnet
7777
Extracted
Family
smokeloader
Version
2020
C2
http://fioajfoiarjfoi1.xyz/
http://rdukhnihioh2.xyz/
http://sdfghjklemm3.xyz/
http://eruiopijhgnn4.xyz/
http://igbyugfwbwb5.xyz/
http://shfuhfuwhhc6.xyz/
http://ersyglhjkuij7.xyz/
http://ygyguguuju8.store/
http://resbkjpokfct9.store/
http://sdfygfygu10.store/
http://hbibhibihnj11.store/
http://vfwlkjhbghg12.store/
http://poiuytrcvb13.store/
http://xsedfgtbh14.store/
http://iknhyghggh15.store/
http://wnlonevkiju16.site/
http://gfyufuhhihioh17.site/
http://nsgiuwrevi18.site/
http://oiureveiuv19.site/
http://ovrnevnriuen20.site/
http://apowkfeeifin21.site/
http://mewmofinoine22.site/
http://iefhuiehruiu23.site/
http://vjrnnvinerovn24.club/
http://roimvnnvwniov25.club/
http://fwenmfioewnjo26.club/
http://ewoijioewoif27.club/
http://fwjenfuihew28.club/
http://fwkejnfuiewn29.club/
http://fwkjenfuewnh30.club/
rc4.i32
rc4.i32
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
m1993gose3g5_1.exeexplorer.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" m1993gose3g5_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile m1993gose3g5_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" m1993gose3g5_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile m1993gose3g5_1.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
Processes:
regedit.exeexplorer.exem1993gose3g5_1.exe9E42.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "gxmlhorlizy.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "aywhor.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "qiknaeqfk.exe" m1993gose3g5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe m1993gose3g5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "alojqkasppl.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\m1993gose3g5.exe 9E42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "cfnipnabm.exe" m1993gose3g5_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "abo.exe" m1993gose3g5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe m1993gose3g5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe m1993gose3g5_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "iwpudnsic.exe" m1993gose3g5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "vdsxwjxrtau.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\m1993gose3g5.exe\DisableExceptionChainValidation 9E42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe m1993gose3g5_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "wflfalvgw.exe" m1993gose3g5_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe m1993gose3g5_1.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid Process 1220 Explorer.EXE -
Executes dropped EXE 5 IoCs
Processes:
9E42.exeA5C2.exem1993gose3g5_1.exeabihsceabihscepid Process 2724 9E42.exe 2620 A5C2.exe 268 m1993gose3g5_1.exe 1640 abihsce 2404 abihsce -
Loads dropped DLL 2 IoCs
Processes:
explorer.exeabihscepid Process 2764 explorer.exe 1640 abihsce -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\m1993gose3g5.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\m1993gose3g5.exe" explorer.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
m1993gose3g5_1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService m1993gose3g5_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus m1993gose3g5_1.exe -
Processes:
9E42.exem1993gose3g5_1.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9E42.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA m1993gose3g5_1.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
9E42.exeexplorer.exem1993gose3g5_1.exepid Process 2724 9E42.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 268 m1993gose3g5_1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6eb66417d2421609dd31a36683513601.exeabihscedescription pid Process procid_target PID 1948 set thread context of 1968 1948 6eb66417d2421609dd31a36683513601.exe 28 PID 1640 set thread context of 2404 1640 abihsce 38 -
NSIS installer 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x000e000000014f12-47.dat nsis_installer_2 behavioral1/files/0x000e000000014f12-46.dat nsis_installer_2 behavioral1/files/0x000e000000014f12-49.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6eb66417d2421609dd31a36683513601.exeabihscedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6eb66417d2421609dd31a36683513601.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6eb66417d2421609dd31a36683513601.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI abihsce Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI abihsce Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI abihsce Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6eb66417d2421609dd31a36683513601.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exem1993gose3g5_1.exe9E42.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 m1993gose3g5_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString m1993gose3g5_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9E42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9E42.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\m1993gose3g5_1.exe:1BB7FB68 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\m1993gose3g5_1.exe:1BB7FB68 explorer.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid Process 2284 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6eb66417d2421609dd31a36683513601.exeExplorer.EXEpid Process 1968 6eb66417d2421609dd31a36683513601.exe 1968 6eb66417d2421609dd31a36683513601.exe 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
6eb66417d2421609dd31a36683513601.exe9E42.exeexplorer.exem1993gose3g5_1.exepid Process 1968 6eb66417d2421609dd31a36683513601.exe 2724 9E42.exe 2724 9E42.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 268 m1993gose3g5_1.exe 268 m1993gose3g5_1.exe 2764 explorer.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
9E42.exeexplorer.exem1993gose3g5_1.exeregedit.exedescription pid Process Token: SeDebugPrivilege 2724 9E42.exe Token: SeRestorePrivilege 2724 9E42.exe Token: SeBackupPrivilege 2724 9E42.exe Token: SeLoadDriverPrivilege 2724 9E42.exe Token: SeCreatePagefilePrivilege 2724 9E42.exe Token: SeShutdownPrivilege 2724 9E42.exe Token: SeTakeOwnershipPrivilege 2724 9E42.exe Token: SeChangeNotifyPrivilege 2724 9E42.exe Token: SeCreateTokenPrivilege 2724 9E42.exe Token: SeMachineAccountPrivilege 2724 9E42.exe Token: SeSecurityPrivilege 2724 9E42.exe Token: SeAssignPrimaryTokenPrivilege 2724 9E42.exe Token: SeCreateGlobalPrivilege 2724 9E42.exe Token: 33 2724 9E42.exe Token: SeDebugPrivilege 2764 explorer.exe Token: SeRestorePrivilege 2764 explorer.exe Token: SeBackupPrivilege 2764 explorer.exe Token: SeLoadDriverPrivilege 2764 explorer.exe Token: SeCreatePagefilePrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeTakeOwnershipPrivilege 2764 explorer.exe Token: SeChangeNotifyPrivilege 2764 explorer.exe Token: SeCreateTokenPrivilege 2764 explorer.exe Token: SeMachineAccountPrivilege 2764 explorer.exe Token: SeSecurityPrivilege 2764 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2764 explorer.exe Token: SeCreateGlobalPrivilege 2764 explorer.exe Token: 33 2764 explorer.exe Token: SeDebugPrivilege 268 m1993gose3g5_1.exe Token: SeRestorePrivilege 268 m1993gose3g5_1.exe Token: SeBackupPrivilege 268 m1993gose3g5_1.exe Token: SeLoadDriverPrivilege 268 m1993gose3g5_1.exe Token: SeCreatePagefilePrivilege 268 m1993gose3g5_1.exe Token: SeShutdownPrivilege 268 m1993gose3g5_1.exe Token: SeTakeOwnershipPrivilege 268 m1993gose3g5_1.exe Token: SeChangeNotifyPrivilege 268 m1993gose3g5_1.exe Token: SeCreateTokenPrivilege 268 m1993gose3g5_1.exe Token: SeMachineAccountPrivilege 268 m1993gose3g5_1.exe Token: SeSecurityPrivilege 268 m1993gose3g5_1.exe Token: SeAssignPrimaryTokenPrivilege 268 m1993gose3g5_1.exe Token: SeCreateGlobalPrivilege 268 m1993gose3g5_1.exe Token: 33 268 m1993gose3g5_1.exe Token: SeCreatePagefilePrivilege 268 m1993gose3g5_1.exe Token: SeCreatePagefilePrivilege 268 m1993gose3g5_1.exe Token: SeCreatePagefilePrivilege 268 m1993gose3g5_1.exe Token: SeCreatePagefilePrivilege 268 m1993gose3g5_1.exe Token: SeCreatePagefilePrivilege 268 m1993gose3g5_1.exe Token: SeDebugPrivilege 2284 regedit.exe Token: SeRestorePrivilege 2284 regedit.exe Token: SeBackupPrivilege 2284 regedit.exe Token: SeLoadDriverPrivilege 2284 regedit.exe Token: SeCreatePagefilePrivilege 2284 regedit.exe Token: SeShutdownPrivilege 2284 regedit.exe Token: SeTakeOwnershipPrivilege 2284 regedit.exe Token: SeChangeNotifyPrivilege 2284 regedit.exe Token: SeCreateTokenPrivilege 2284 regedit.exe Token: SeMachineAccountPrivilege 2284 regedit.exe Token: SeSecurityPrivilege 2284 regedit.exe Token: SeAssignPrimaryTokenPrivilege 2284 regedit.exe Token: SeCreateGlobalPrivilege 2284 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6eb66417d2421609dd31a36683513601.exeExplorer.EXE9E42.exeexplorer.exetaskeng.exeabihscem1993gose3g5_1.exedescription pid Process procid_target PID 1948 wrote to memory of 1968 1948 6eb66417d2421609dd31a36683513601.exe 28 PID 1948 wrote to memory of 1968 1948 6eb66417d2421609dd31a36683513601.exe 28 PID 1948 wrote to memory of 1968 1948 6eb66417d2421609dd31a36683513601.exe 28 PID 1948 wrote to memory of 1968 1948 6eb66417d2421609dd31a36683513601.exe 28 PID 1948 wrote to memory of 1968 1948 6eb66417d2421609dd31a36683513601.exe 28 PID 1948 wrote to memory of 1968 1948 6eb66417d2421609dd31a36683513601.exe 28 PID 1948 wrote to memory of 1968 1948 6eb66417d2421609dd31a36683513601.exe 28 PID 1220 wrote to memory of 2724 1220 Explorer.EXE 29 PID 1220 wrote to memory of 2724 1220 Explorer.EXE 29 PID 1220 wrote to memory of 2724 1220 Explorer.EXE 29 PID 1220 wrote to memory of 2724 1220 Explorer.EXE 29 PID 2724 wrote to memory of 2764 2724 9E42.exe 30 PID 2724 wrote to memory of 2764 2724 9E42.exe 30 PID 2724 wrote to memory of 2764 2724 9E42.exe 30 PID 2724 wrote to memory of 2764 2724 9E42.exe 30 PID 2724 wrote to memory of 2764 2724 9E42.exe 30 PID 2724 wrote to memory of 2764 2724 9E42.exe 30 PID 2724 wrote to memory of 2764 2724 9E42.exe 30 PID 1220 wrote to memory of 2620 1220 Explorer.EXE 31 PID 1220 wrote to memory of 2620 1220 Explorer.EXE 31 PID 1220 wrote to memory of 2620 1220 Explorer.EXE 31 PID 1220 wrote to memory of 2620 1220 Explorer.EXE 31 PID 2764 wrote to memory of 1172 2764 explorer.exe 25 PID 2764 wrote to memory of 1172 2764 explorer.exe 25 PID 2764 wrote to memory of 1172 2764 explorer.exe 25 PID 2764 wrote to memory of 1172 2764 explorer.exe 25 PID 2764 wrote to memory of 1172 2764 explorer.exe 25 PID 2764 wrote to memory of 1172 2764 explorer.exe 25 PID 2764 wrote to memory of 1220 2764 explorer.exe 24 PID 2764 wrote to memory of 1220 2764 explorer.exe 24 PID 2764 wrote to memory of 1220 2764 explorer.exe 24 PID 2764 wrote to memory of 1220 2764 explorer.exe 24 PID 2764 wrote to memory of 1220 2764 explorer.exe 24 PID 2764 wrote to memory of 1220 2764 explorer.exe 24 PID 2764 wrote to memory of 1936 2764 explorer.exe 34 PID 2764 wrote to memory of 1936 2764 explorer.exe 34 PID 2764 wrote to memory of 1936 2764 explorer.exe 34 PID 2764 wrote to memory of 1936 2764 explorer.exe 34 PID 2764 wrote to memory of 1936 2764 explorer.exe 34 PID 2764 wrote to memory of 1936 2764 explorer.exe 34 PID 2764 wrote to memory of 268 2764 explorer.exe 36 PID 2764 wrote to memory of 268 2764 explorer.exe 36 PID 2764 wrote to memory of 268 2764 explorer.exe 36 PID 2764 wrote to memory of 268 2764 explorer.exe 36 PID 2764 wrote to memory of 268 2764 explorer.exe 36 PID 2764 wrote to memory of 268 2764 explorer.exe 36 PID 2764 wrote to memory of 268 2764 explorer.exe 36 PID 2528 wrote to memory of 1640 2528 taskeng.exe 37 PID 2528 wrote to memory of 1640 2528 taskeng.exe 37 PID 2528 wrote to memory of 1640 2528 taskeng.exe 37 PID 2528 wrote to memory of 1640 2528 taskeng.exe 37 PID 1640 wrote to memory of 2404 1640 abihsce 38 PID 1640 wrote to memory of 2404 1640 abihsce 38 PID 1640 wrote to memory of 2404 1640 abihsce 38 PID 1640 wrote to memory of 2404 1640 abihsce 38 PID 1640 wrote to memory of 2404 1640 abihsce 38 PID 1640 wrote to memory of 2404 1640 abihsce 38 PID 1640 wrote to memory of 2404 1640 abihsce 38 PID 268 wrote to memory of 2284 268 m1993gose3g5_1.exe 39 PID 268 wrote to memory of 2284 268 m1993gose3g5_1.exe 39 PID 268 wrote to memory of 2284 268 m1993gose3g5_1.exe 39 PID 268 wrote to memory of 2284 268 m1993gose3g5_1.exe 39 PID 268 wrote to memory of 2284 268 m1993gose3g5_1.exe 39 PID 268 wrote to memory of 2284 268 m1993gose3g5_1.exe 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\6eb66417d2421609dd31a36683513601.exe"C:\Users\Admin\AppData\Local\Temp\6eb66417d2421609dd31a36683513601.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\6eb66417d2421609dd31a36683513601.exe"C:\Users\Admin\AppData\Local\Temp\6eb66417d2421609dd31a36683513601.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1968
-
-
-
C:\Users\Admin\AppData\Local\Temp\9E42.exeC:\Users\Admin\AppData\Local\Temp\9E42.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\m1993gose3g5_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\M1993G~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:2784
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A5C2.exeC:\Users\Admin\AppData\Local\Temp\A5C2.exe2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1936
-
C:\Windows\system32\taskeng.exetaskeng.exe {09F734B8-F3A5-4528-89B8-82A5CE685562} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Roaming\abihsceC:\Users\Admin\AppData\Roaming\abihsce2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Roaming\abihsceC:\Users\Admin\AppData\Roaming\abihsce3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2404
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD594f379933c102d45a3bdb6d46070c3b6
SHA1e4004532129c49d22279737f26cff1f00b45a092
SHA256814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff
SHA5124847abc92cdfe5d0fe8bbd351195644ff7354cdd9e4cc6ecb5e2434bc8a43c292dc20013bdaac263319d94ca2792e54c244dbe11bcfa94f37a0e0d4c4ac66aaf
-
Filesize
2.3MB
MD5eba2f33d14d855ccdb46c20f17bb03ac
SHA1aaf54cb6bf0d6ec628252072aea689532e6db124
SHA2562a37cd105582e7cb448271887c47f1f26bec55dafbdf5220e8998f2b516b47cd
SHA5125ad7978279760b3825ab824a7c8eac8f2cfc5ff85b33cd8d9468045035a694427a3a445d191b367b6a61c03fc6b6c23d716921e474a41461523cf7eb818050c1
-
Filesize
1.6MB
MD5061374c9d1618ced7c269b590778c1c7
SHA151fe0f6c3a5af7679b93134c95e07b4dba3718cb
SHA256c1a9cf7c11d4e29d1f905b514c3419e9cd23ab04c51c867bf57dc354f0e9dc97
SHA512cf1a5c4140d7fc420a21eb7a18ff1eaf3f755b1882fcc10876a512b2f98d176c212383358886c9062c4e5cabaa98f68ba2a9688adcd555426d99ccffc621a58a
-
Filesize
2.8MB
MD545303e2f107892da62969e91d231b21d
SHA1946e7740a0843c2a71792182796957c245b45751
SHA256193e2814735b76b982743bfea72ff5f27ce15cfd1f7f77ba8ed6f038f6d29043
SHA512137e89ba1acb447484629b11515665659fbf7b46ef6743e48c7236a72a76d3a6064adf04d735fb50c5e09c4fa59f0ac5eec239554e771c8493dcc6658ed84e12
-
Filesize
264KB
MD56eb66417d2421609dd31a36683513601
SHA1ded3739ab047f40b680a48784404d622091e69ba
SHA2569f5f03cbcbc7210125928f059fc4bee2618b151b98b468f703c5207d57d0e3c1
SHA512a64368c591651a02c08c6c63ecd61ae04dd22e5220c1d5192176af7844cfd2d58c489b471d90cc5c97fb9ff91056c4c014695417218ca6a3179c967618a799fe
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e