Overview
overview
10Static
static
7About.chm
windows7-x64
1About.chm
windows10-2004-x64
10Setup_s34.exe
windows7-x64
7Setup_s34.exe
windows10-2004-x64
10baid.exe
windows7-x64
7baid.exe
windows10-2004-x64
10bind_8152.exe
windows7-x64
7bind_8152.exe
windows10-2004-x64
10duisc.exe
windows7-x64
8duisc.exe
windows10-2004-x64
10edmtd.exe
windows7-x64
7edmtd.exe
windows10-2004-x64
10itadx.exe
windows7-x64
7itadx.exe
windows10-2004-x64
10ly2_03.exe
windows7-x64
10ly2_03.exe
windows10-2004-x64
10pcast.exe
windows7-x64
10pcast.exe
windows10-2004-x64
10pingtu12.exe
windows7-x64
1pingtu12.exe
windows10-2004-x64
10qqa02_u88setup.exe
windows7-x64
8qqa02_u88setup.exe
windows10-2004-x64
10sdcnc.exe
windows7-x64
8sdcnc.exe
windows10-2004-x64
10sdpig.exe
windows7-x64
7sdpig.exe
windows10-2004-x64
10sdreg.exe
windows7-x64
1sdreg.exe
windows10-2004-x64
10sdset.exe
windows7-x64
10sdset.exe
windows10-2004-x64
10sogoutb_se...ni.exe
windows7-x64
7sogoutb_se...ni.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:27
Behavioral task
behavioral1
Sample
About.chm
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
About.chm
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Setup_s34.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
Setup_s34.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
baid.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
baid.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
bind_8152.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
bind_8152.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
duisc.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral10
Sample
duisc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
edmtd.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
edmtd.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
itadx.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
itadx.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ly2_03.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
ly2_03.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
pcast.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
pcast.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
pingtu12.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
pingtu12.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
qqa02_u88setup.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
qqa02_u88setup.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
sdcnc.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
sdcnc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
sdpig.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
sdpig.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
sdreg.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
sdreg.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
sdset.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
sdset.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
sogoutb_setup_pp365sosoft08mini.exe
Resource
win7-20231215-en
windows7-x64
General
-
Target
duisc.exe
-
Size
262KB
-
MD5
28199122b75f244cd44d2dfc0107dc03
-
SHA1
5a8b0ad0cdd4864d421916f5034a6913035750c1
-
SHA256
a345cbd37c52c9926d789826a82f1d1a17986d1833e21ffc97afed70e1a0a4e1
-
SHA512
331755f64a8d41332e59787b628f26c526340bc73eb7acbecf1fe6ac461710d6b97fa524556ac53a23118f2e0f4649659701ca018d47e9749c3901c2f71aebe5
-
SSDEEP
3072:XHYR8jkJ5y+wLjOKWeKI9hyqfDydmfPmbAT2V1p9p7/Wg8gV6tZy4co28kd+06bb:oEXueBjyAGkqV1pPWVw4BEe5uqmGv
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 6 1076 RunDll32.exe 7 2288 RunDll32.exe -
Executes dropped EXE 1 IoCs
pid Process 1444 CFSQdll.exe -
Loads dropped DLL 19 IoCs
pid Process 2948 duisc.exe 2948 duisc.exe 1444 CFSQdll.exe 1444 CFSQdll.exe 1444 CFSQdll.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 1076 RunDll32.exe 1076 RunDll32.exe 1076 RunDll32.exe 2284 Rundll32.exe 2284 Rundll32.exe 2284 Rundll32.exe 2284 Rundll32.exe 1076 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscfs = "RUNDLL32 C:\\Windows\\system32\\msibm\\cfsys.dll,cfs" duisc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "BHelper" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7} RunDll32.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File created C:\Windows\SysWOW64\msibm\CFSQdll.exe duisc.exe File opened for modification C:\Windows\SysWOW64\msibm\post.tpl duisc.exe File opened for modification C:\Windows\SysWOW64\msibm\intro.tpl duisc.exe File created C:\Windows\SysWOW64\msibm\post.htm Rundll32.exe File opened for modification C:\Windows\SysWOW64\ibmvdr_.dll duisc.exe File opened for modification C:\Windows\SysWOW64\msibm\cfscfg.7z RunDll32.exe File opened for modification C:\Windows\SysWOW64\msibm\CFSQdll.exe duisc.exe File created C:\Windows\SysWOW64\msibm\intro.tpl duisc.exe File created C:\Windows\SysWOW64\msibm\cfs7zd.DLL duisc.exe File created C:\Windows\SysWOW64\msibm\cfsupd.dll duisc.exe File created C:\Windows\SysWOW64\msibm\lowlvl.dll duisc.exe File created C:\Windows\SysWOW64\msibm\cfsbho.dll duisc.exe File created C:\Windows\SysWOW64\msibm\cfsys.dll duisc.exe File created C:\Windows\SysWOW64\msibm\linbak.dll duisc.exe File created C:\Windows\SysWOW64\msibm\cfscfg.7z RunDll32.exe File created C:\Windows\SysWOW64\msibm\Uninstall.exe duisc.exe File created C:\Windows\SysWOW64\msibm\post.tpl duisc.exe File created C:\Windows\SysWOW64\ibmvdr_.dll duisc.exe File opened for modification C:\Windows\SysWOW64\ibmuuid_.dll Rundll32.exe File created C:\Windows\SysWOW64\ibmuuid_.dll Rundll32.exe File created C:\Windows\SysWOW64\msibm\intro.htm Rundll32.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CurVer RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32 RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\ = "CBHelper Object" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ProgID\ = "cfsbho.BHelper.1" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\ = "cfsbho 1.0 ÀàÐÍ¿â" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ProgID RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279} RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32 RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\Version = "1.0" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\ = "cfsbho" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\VersionIndependentProgID RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF} RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL\AppID RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\HELPDIR RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ = "IBHelper" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CLSID RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\Programmable RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ = "IBHelper" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\VersionIndependentProgID\ = "cfsbho.BHelper" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32\ = "C:\\Windows\\SysWow64\\msibm\\cfsbho.dll" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\msibm\\cfsbho.dll" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279} RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\AppID RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\TypeLib RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\Version = "1.0" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF} RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\CLSID\ = "{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CurVer\ = "cfsbho.BHelper.1" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0\win32 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\FLAGS RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32\ThreadingModel = "apartment" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\FLAGS\ = "0" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\msibm\\" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\ = "CBHelper Object" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CLSID\ = "{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7} RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\CLSID RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "CBHelper Object" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}" RunDll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe 2288 RunDll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2288 RunDll32.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2948 wrote to memory of 1444 2948 duisc.exe 28 PID 2948 wrote to memory of 1444 2948 duisc.exe 28 PID 2948 wrote to memory of 1444 2948 duisc.exe 28 PID 2948 wrote to memory of 1444 2948 duisc.exe 28 PID 2948 wrote to memory of 1444 2948 duisc.exe 28 PID 2948 wrote to memory of 1444 2948 duisc.exe 28 PID 2948 wrote to memory of 1444 2948 duisc.exe 28 PID 2948 wrote to memory of 2284 2948 duisc.exe 29 PID 2948 wrote to memory of 2284 2948 duisc.exe 29 PID 2948 wrote to memory of 2284 2948 duisc.exe 29 PID 2948 wrote to memory of 2284 2948 duisc.exe 29 PID 2948 wrote to memory of 2284 2948 duisc.exe 29 PID 2948 wrote to memory of 2284 2948 duisc.exe 29 PID 2948 wrote to memory of 2284 2948 duisc.exe 29 PID 2948 wrote to memory of 1076 2948 duisc.exe 30 PID 2948 wrote to memory of 1076 2948 duisc.exe 30 PID 2948 wrote to memory of 1076 2948 duisc.exe 30 PID 2948 wrote to memory of 1076 2948 duisc.exe 30 PID 2948 wrote to memory of 1076 2948 duisc.exe 30 PID 2948 wrote to memory of 1076 2948 duisc.exe 30 PID 2948 wrote to memory of 1076 2948 duisc.exe 30 PID 2948 wrote to memory of 2288 2948 duisc.exe 31 PID 2948 wrote to memory of 2288 2948 duisc.exe 31 PID 2948 wrote to memory of 2288 2948 duisc.exe 31 PID 2948 wrote to memory of 2288 2948 duisc.exe 31 PID 2948 wrote to memory of 2288 2948 duisc.exe 31 PID 2948 wrote to memory of 2288 2948 duisc.exe 31 PID 2948 wrote to memory of 2288 2948 duisc.exe 31 PID 2288 wrote to memory of 1340 2288 RunDll32.exe 17 PID 2288 wrote to memory of 1076 2288 RunDll32.exe 30 PID 2288 wrote to memory of 592 2288 RunDll32.exe 8 PID 2288 wrote to memory of 1340 2288 RunDll32.exe 17 PID 2288 wrote to memory of 1076 2288 RunDll32.exe 30 PID 2288 wrote to memory of 592 2288 RunDll32.exe 8 PID 2288 wrote to memory of 1340 2288 RunDll32.exe 17
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:592
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\duisc.exe"C:\Users\Admin\AppData\Local\Temp\duisc.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\msibm\CFSQdll.exeC:\Windows\system32\msibm\CFSQdll.exe 203⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe C:\Windows\system32\msibm\cfsbho.dll,firstGenGuid3⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2284
-
-
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe C:\Windows\system32\msibm\cfsbho.dll,regUser3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1076
-
-
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe C:\Windows\system32\msibm\cfsys.DLL,cfs3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36B
MD508a16329aa2f741cecfaa68648d64fea
SHA1ebd2cb24160f5071669cdd7991c55ad454a3afc5
SHA256bfe156c8ce561dc0322d9595cfdbf00547630fa867c1b455246dfaeb852f4e84
SHA512b45d000ae8496557cfc52d5ecbbb2685ccb3771adaed4e5843b06ebcf3957cfb6cd6fa06da58e0451bb89f321e09a815fd86821fbc2dcbb0d07becd15b400c33
-
Filesize
6B
MD567235f0ee23bb5d9bfe272daec727c3a
SHA12020834bddfd82c85922ba6293277dd4047ec127
SHA2564c31b850b9373f1a31705b3327cc8b0ac529a6a7aa5c86979c51b422d6a1afcc
SHA51218e0adde1f8d4f9f5c51e74cbbb7c71c6843870f3e99f2e6ce81f92d3c1bd83a35116ba1f99b6582aae0c4dde83f616b5490cc12871e5cd3e54222e0ec219017
-
Filesize
108KB
MD5bbd57beecd1b6ad25e0999c4a282ce5b
SHA1113868e00c2453208aacc597a3a92025c365a982
SHA2568af777f8f08b7429a54500a5cd67ec2e3ef03d5f9cd54fdd5c7ed0d71ac0562e
SHA51253e5e14f8c191227a7c047632a71cb2c676ecd4b70b6c93bdcede4c8681a9c30d9fe13a439e056bcf7a127d85915a9672625d001201c565b8b7a6db3e844830d
-
Filesize
38KB
MD53aa48085d85a531f5e4db131704b246c
SHA19232b4ae722d157eee5ff2eadb7221519a3de5b8
SHA2562041d2c62945abcb2bb8be0267e728f6bfd8d35b437726e67ca685713f74eec4
SHA512e866809293b9c3f6127d5a1beb747853d4132a5b19289cd722550e101bdf09055b030a7a803bdacc60a5ad9c7973bca426c861871c0703575d14de90b6bcbb74
-
Filesize
187KB
MD56d7a20743ac066b025c09a4499448264
SHA15c15f4ae14c6c80c98ab97d2b98284598b9c3a21
SHA2566331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473
SHA5121e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d
-
Filesize
161B
MD5e0782089e9f016369e89a4ec36474355
SHA1a364f107081a899aea66ed73403dfc19041ea3f5
SHA256c09efa49ecdb14dbd0dae118f3ba4ac30ecb4fe2db9e5bfe2874403733e99d46
SHA512fff1a002e575ecf1f43573e2278f246ee72d007ac008f81717ecd0a9a003e969d2e91a28019e29912ed4741f1f3d9bed43adc14bfa48d80bd471df47825b9cfe
-
Filesize
160B
MD57ba5508ca1abca116183c1dcdbcf31d2
SHA1c006df723e7ce851387345efe880c2fb7796d330
SHA2560057b6b6acd17a102867a24e4927cdc487db31930c8769ad5271497757546e3e
SHA51231dae4340d02815a0529cabe88fcad6a1e127776076d6172a1d7a76ed54cd0ecb86fec9aede5db9bf37278b47de857bc4c738d2fa30bfb635181492f8a8bd21b
-
Filesize
22KB
MD5445bf68113cac1d07e9a516b7ed830f0
SHA11598230ef36de04c49dd2e686f900945e9cb7fe1
SHA256bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90
SHA5123919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184
-
Filesize
14KB
MD5379f4f2560c2d11838676ffcabeee8dd
SHA1b88999a424f7306eb2000955f5d8f1424160d1b2
SHA25665aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3
SHA5124861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d
-
Filesize
89KB
MD536d567bc063d7e4f8eaa3f3d38ba3bc9
SHA16876ed4adab518904edc4adf6e94ed033413411a
SHA256ec7fd2972d318e78a3209fde3baa560fd4e9946401363d6d603c505e840b16eb
SHA512dbcc0c769d115b399e40303adbcb5bd31d6eee4a16232068a923b541dcdcae727ebe4b039b1c43886cdfdb18a2e965f67fc684a06c1bddaea771fb6cec1b70df
-
Filesize
62KB
MD52acfc45ab6aef48f55b1955ec58b5ef9
SHA181d526a1973a7825b76573f173f61762e8e09c28
SHA2569674305517a054c1aa2f8758c030595831f1684965e5eb72b217e8878cdec475
SHA5124697b7ad75d10d547c1b96cbbd42f0a351f055ea54eb16a356eaf6d3f8006af8c97ee9c6b63c166f7843543b961a63e0cdf32a751b4564d8cafc7002d9c03381
-
Filesize
130KB
MD5f967f2d1ae78ae5b5008dc6de13682b7
SHA116ce4cba1d7fc76365952b14292671e47b1d1e4e
SHA256ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260
SHA51273e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e
-
Filesize
44KB
MD55ad7b028f0431453d05d5bedcdee3574
SHA1c9f14c3530391461b74a4da359e1d0b7fdffad12
SHA256d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f
SHA51222fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c