Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 18:03
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
General
-
Target
tmp.exe
-
Size
6.3MB
-
MD5
c67cb967230036816fd0cbbfd96959c6
-
SHA1
d2fe988a302dce4bc0f34a1003a623f96a06b250
-
SHA256
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76
-
SHA512
2f51046e44bdfa470f676071c69da8c05d50d8f79e748748f25ac13ec53d346f1c3988148000fea3ece38623fd629d1b3dcc943006e80b7bee95da7f1f42920c
-
SSDEEP
196608:GHqO3grg0lAc4G+JCJjsP8BXkf/hmzJzFYngA13jvHKvj4:GHzCOc4G+oB0BmdFY31zq
Malware Config
Extracted
smokeloader
pub1
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276f6914c4.php
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdcc
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw
Extracted
redline
Exodus
93.123.39.68:1334
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2024 schtasks.exe 4376 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation tmp.exe 4352 schtasks.exe -
Detected Djvu ransomware 7 IoCs
resource yara_rule behavioral2/memory/1736-323-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1736-325-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1736-327-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1736-351-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2276-366-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2276-365-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2276-368-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 13 IoCs
resource yara_rule behavioral2/memory/5060-52-0x0000000002DB0000-0x000000000369B000-memory.dmp family_glupteba behavioral2/memory/5060-53-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5060-84-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5060-178-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5060-180-0x0000000002DB0000-0x000000000369B000-memory.dmp family_glupteba behavioral2/memory/5060-193-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2784-204-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2784-251-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2784-319-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2784-388-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4988-408-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4988-484-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4988-490-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/files/0x00050000000162b0-582.dat family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/files/0x00050000000162b0-582.dat family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ B2CF.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3676 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B2CF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B2CF.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 8E71.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation nsxF1B5.tmp -
Executes dropped EXE 23 IoCs
pid Process 5060 d21cbe21e38b385a41a68c5e6dd32f4c.exe 3164 InstallSetup9.exe 1360 toolspub1.exe 1528 BroomSetup.exe 4496 nsxF1B5.tmp 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 3444 752B.exe 4104 8E71.exe 1736 8E71.exe 388 8E71.exe 4988 csrss.exe 2276 8E71.exe 3236 injector.exe 2436 windefender.exe 1808 windefender.exe 4512 6431.exe 464 B2CF.exe 2000 C1A4.exe 1084 C1A4.tmp 1900 C762.exe 3620 CA22.exe 4432 pyobjserialization.exe 64 pyobjserialization.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine B2CF.exe -
Loads dropped DLL 6 IoCs
pid Process 3164 InstallSetup9.exe 3164 InstallSetup9.exe 4496 nsxF1B5.tmp 4496 nsxF1B5.tmp 3164 InstallSetup9.exe 1084 C1A4.tmp -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3788 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0003000000000707-489.dat upx behavioral2/memory/2436-494-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\449ef933-f517-4d7f-8de2-db3b65fec0bd\\8E71.exe\" --AutoStart" 8E71.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 74 api.2ip.ua 75 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 464 B2CF.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4104 set thread context of 1736 4104 8E71.exe 122 PID 388 set thread context of 2276 388 8E71.exe 127 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss d21cbe21e38b385a41a68c5e6dd32f4c.exe File created C:\Windows\rss\csrss.exe d21cbe21e38b385a41a68c5e6dd32f4c.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1896 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 940 4496 WerFault.exe 88 1992 2276 WerFault.exe 127 3392 4512 WerFault.exe 149 3304 4512 WerFault.exe 149 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 752B.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 752B.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 752B.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsxF1B5.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsxF1B5.tmp -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4352 schtasks.exe 2024 schtasks.exe 4376 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3760 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-491 = "India Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1360 toolspub1.exe 1360 toolspub1.exe 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 5016 powershell.exe 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 5016 powershell.exe 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1360 toolspub1.exe 3444 752B.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5016 powershell.exe Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeDebugPrivilege 5060 d21cbe21e38b385a41a68c5e6dd32f4c.exe Token: SeImpersonatePrivilege 5060 d21cbe21e38b385a41a68c5e6dd32f4c.exe Token: SeDebugPrivilege 656 powershell.exe Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeDebugPrivilege 4660 powershell.exe Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeDebugPrivilege 5096 powershell.exe Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeDebugPrivilege 208 powershell.exe Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeDebugPrivilege 3740 powershell.exe Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeDebugPrivilege 1052 powershell.exe Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeSystemEnvironmentPrivilege 4988 csrss.exe Token: SeSecurityPrivilege 1896 sc.exe Token: SeSecurityPrivilege 1896 sc.exe Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1084 C1A4.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1528 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 5060 1628 tmp.exe 84 PID 1628 wrote to memory of 5060 1628 tmp.exe 84 PID 1628 wrote to memory of 5060 1628 tmp.exe 84 PID 1628 wrote to memory of 3164 1628 tmp.exe 85 PID 1628 wrote to memory of 3164 1628 tmp.exe 85 PID 1628 wrote to memory of 3164 1628 tmp.exe 85 PID 1628 wrote to memory of 1360 1628 tmp.exe 86 PID 1628 wrote to memory of 1360 1628 tmp.exe 86 PID 1628 wrote to memory of 1360 1628 tmp.exe 86 PID 3164 wrote to memory of 1528 3164 InstallSetup9.exe 87 PID 3164 wrote to memory of 1528 3164 InstallSetup9.exe 87 PID 3164 wrote to memory of 1528 3164 InstallSetup9.exe 87 PID 3164 wrote to memory of 4496 3164 InstallSetup9.exe 88 PID 3164 wrote to memory of 4496 3164 InstallSetup9.exe 88 PID 3164 wrote to memory of 4496 3164 InstallSetup9.exe 88 PID 1528 wrote to memory of 2352 1528 BroomSetup.exe 89 PID 1528 wrote to memory of 2352 1528 BroomSetup.exe 89 PID 1528 wrote to memory of 2352 1528 BroomSetup.exe 89 PID 2352 wrote to memory of 2628 2352 cmd.exe 91 PID 2352 wrote to memory of 2628 2352 cmd.exe 91 PID 2352 wrote to memory of 2628 2352 cmd.exe 91 PID 2352 wrote to memory of 4352 2352 cmd.exe 93 PID 2352 wrote to memory of 4352 2352 cmd.exe 93 PID 2352 wrote to memory of 4352 2352 cmd.exe 93 PID 5060 wrote to memory of 5016 5060 d21cbe21e38b385a41a68c5e6dd32f4c.exe 94 PID 5060 wrote to memory of 5016 5060 d21cbe21e38b385a41a68c5e6dd32f4c.exe 94 PID 5060 wrote to memory of 5016 5060 d21cbe21e38b385a41a68c5e6dd32f4c.exe 94 PID 2784 wrote to memory of 656 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 105 PID 2784 wrote to memory of 656 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 105 PID 2784 wrote to memory of 656 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 105 PID 4496 wrote to memory of 2912 4496 nsxF1B5.tmp 107 PID 4496 wrote to memory of 2912 4496 nsxF1B5.tmp 107 PID 4496 wrote to memory of 2912 4496 nsxF1B5.tmp 107 PID 2912 wrote to memory of 3760 2912 cmd.exe 110 PID 2912 wrote to memory of 3760 2912 cmd.exe 110 PID 2912 wrote to memory of 3760 2912 cmd.exe 110 PID 2784 wrote to memory of 3756 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 113 PID 2784 wrote to memory of 3756 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 113 PID 3756 wrote to memory of 3676 3756 cmd.exe 115 PID 3756 wrote to memory of 3676 3756 cmd.exe 115 PID 3580 wrote to memory of 3444 3580 Process not Found 116 PID 3580 wrote to memory of 3444 3580 Process not Found 116 PID 3580 wrote to memory of 3444 3580 Process not Found 116 PID 2784 wrote to memory of 4660 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 117 PID 2784 wrote to memory of 4660 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 117 PID 2784 wrote to memory of 4660 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 117 PID 2784 wrote to memory of 5096 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 119 PID 2784 wrote to memory of 5096 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 119 PID 2784 wrote to memory of 5096 2784 d21cbe21e38b385a41a68c5e6dd32f4c.exe 119 PID 3580 wrote to memory of 4104 3580 Process not Found 121 PID 3580 wrote to memory of 4104 3580 Process not Found 121 PID 3580 wrote to memory of 4104 3580 Process not Found 121 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 4104 wrote to memory of 1736 4104 8E71.exe 122 PID 1736 wrote to memory of 3788 1736 8E71.exe 123 PID 1736 wrote to memory of 3788 1736 8E71.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:3676
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:2024
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:4116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:3236
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4376
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:2184
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:2628
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsxF1B5.tmpC:\Users\Admin\AppData\Local\Temp\nsxF1B5.tmp3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsxF1B5.tmp" & del "C:\ProgramData\*.dll"" & exit4⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
PID:3760
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 22324⤵
- Program crash
PID:940
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4496 -ip 44961⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\752B.exeC:\Users\Admin\AppData\Local\Temp\752B.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3444
-
C:\Users\Admin\AppData\Local\Temp\8E71.exeC:\Users\Admin\AppData\Local\Temp\8E71.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\8E71.exeC:\Users\Admin\AppData\Local\Temp\8E71.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\449ef933-f517-4d7f-8de2-db3b65fec0bd" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3788
-
-
C:\Users\Admin\AppData\Local\Temp\8E71.exe"C:\Users\Admin\AppData\Local\Temp\8E71.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:388 -
C:\Users\Admin\AppData\Local\Temp\8E71.exe"C:\Users\Admin\AppData\Local\Temp\8E71.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 5925⤵
- Program crash
PID:1992
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2276 -ip 22761⤵PID:656
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1808
-
C:\Users\Admin\AppData\Local\Temp\6431.exeC:\Users\Admin\AppData\Local\Temp\6431.exe1⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 3402⤵
- Program crash
PID:3392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 10722⤵
- Program crash
PID:3304
-
-
C:\Users\Admin\AppData\Local\Temp\B2CF.exeC:\Users\Admin\AppData\Local\Temp\B2CF.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:464
-
C:\Users\Admin\AppData\Local\Temp\C1A4.exeC:\Users\Admin\AppData\Local\Temp\C1A4.exe1⤵
- Executes dropped EXE
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\is-KRQ7L.tmp\C1A4.tmp"C:\Users\Admin\AppData\Local\Temp\is-KRQ7L.tmp\C1A4.tmp" /SL5="$80242,7448198,54272,C:\Users\Admin\AppData\Local\Temp\C1A4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1084 -
C:\Users\Admin\AppData\Local\Py Object Serialization\pyobjserialization.exe"C:\Users\Admin\AppData\Local\Py Object Serialization\pyobjserialization.exe" -i3⤵
- Executes dropped EXE
PID:4432
-
-
C:\Users\Admin\AppData\Local\Py Object Serialization\pyobjserialization.exe"C:\Users\Admin\AppData\Local\Py Object Serialization\pyobjserialization.exe" -s3⤵
- Executes dropped EXE
PID:64
-
-
-
C:\Users\Admin\AppData\Local\Temp\C762.exeC:\Users\Admin\AppData\Local\Temp\C762.exe1⤵
- Executes dropped EXE
PID:1900
-
C:\Users\Admin\AppData\Local\Temp\CA22.exeC:\Users\Admin\AppData\Local\Temp\CA22.exe1⤵
- Executes dropped EXE
PID:3620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4512 -ip 45121⤵PID:392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4512 -ip 45121⤵PID:752
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
3.4MB
MD5ba811fe25f8e5534df6b031c9495bde7
SHA16de3c0086c1111f0df27e0ccbeac359775e85882
SHA256e8029529c028b6ab56767445d22619d084b2cdf7ecaafa7d765f58b20451eb5b
SHA512c1fb7ec79883ebfd0d5a8af5a63c9a9c00aba7834816fcc107c33be2c473daa4352a0d28af28857915bb53348256894f8d0c3053eaf46d9b9e9595e6a0f4d8ad
-
Filesize
5.6MB
MD5978adeacb862253023f9c296c12ea083
SHA1576fc339b8437045c2a34e568f2aae67f720d333
SHA2564c917b7d4291d22d757f2bb707513c6e85c51fd268f1518eeba92128b1a0d673
SHA5126b5049e46235b2d0d7d29fdef1f6977f03b670a822cc200dbb634352894b702624fb201b795e135d4b72e5c6456c24c8fae16a37d8454cdcf86fd25e85205561
-
Filesize
238KB
MD58c20d9745afb54a1b59131314c15d61c
SHA11975f997e2db1e487c1caf570263a6a3ba135958
SHA256a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7
-
Filesize
736KB
MD5adb72c7dec5dd45c7f172f4d2d01e1ae
SHA19a375b6d4a413807e7775b87722b3f10ce1fe511
SHA25681bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3
SHA512e9da509a506028ee72cfb986bba23a158ee40f58f516b423b1cc7d20472299fc0791b7faf86ed13c94db7a98791a4bae63c783013793012dec43951783001c3c
-
Filesize
2.2MB
MD547e5023667587217287379ac372ca4f8
SHA1ad61e6666e7cc5f332298e0adb161a52f8b4e202
SHA2569490a39a72a9a5d01bf638566021a758e01f7ebb1c038115a9c6a4697d106324
SHA51227254912682ac3101398abbc4e2daa5c54408f69cf4e4b0420892957df3f6df15f35701880d56fe531e1b6263d35a3284c0e9408ee3dfa44d83104a1ad0c6da1
-
Filesize
2.3MB
MD570b05ac593ba4afd847436f2dbd542a3
SHA1d8adc1ea4f762639a79f2f2ce2f3dece4a067e27
SHA256dd24bebe073f6d912f3661a5944814beb824e7a655fecccb2245d768eda51a5a
SHA512829eb47e34d72785857b964357edfcfd2e7121ed6292fed5f490a11bc8c3990902b960c7f8a4597c26b1a909befaf5cf3133f274540842d6e8b0d0c9e8fe03b7
-
Filesize
7.3MB
MD59481f9c5cee80717b5bbca52d7180bfd
SHA195fb1288273f73275e72f7940830b04dbb0d3f9e
SHA25613ec065be98fe2d9aa71006f8f3d0c1b519959fc66d36a3e9f6e7fcdd49d27ff
SHA512f5bbf02f274bcfe9e0852c315692c06b0362911b769964e014dbebdee66bfbd69ea605efda7840e9dd47787b17e9381279cb1e7d27566a7adfd8725d3031bdf1
-
Filesize
173KB
MD57e20aa23f67127f4cb8068045efe69b9
SHA105a2cf7984fde6ba5776f8b4b4b1e1e25d94bfc1
SHA256e1fa577ef8003809c87669e2577463d7c1b1873e0b6300524b1f782687969d83
SHA5126b7c545aefb536f14f1b020331832045675b70701da2568ef178144116e2e14001231384cab0c610ae98bc7c551fe90c558951fbf21d71634ff1819d044def9d
-
Filesize
95KB
MD557935225dcb95b6ed9894d5d5e8b46a8
SHA11daf36a8db0b79be94a41d27183e4904a1340990
SHA25679d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d
SHA5121b6362bdb7f6b177773357f5fe8e7d7ee44716fd8e63e663e446f4e204af581491d05345c12cd9cca91fd249383817da21ef2241011cdc251b7e299560ea48c0
-
Filesize
2.0MB
MD5c7dfcf13b0dc4dd685114a6a2f0233ac
SHA1ade01a01ce38e49de0136340333aa26f92a6f43f
SHA2563786f3f45f703b7faa2b971ac1d9cddfa14115b1926a874a294809bf747355dc
SHA512ff5769daa32508b261d807eaa2a70ff5e942f02b1903523d6cc280ce8c07c0bc58dcc2e555e5d24ddf240570da5f821ba01540904350804dea6eafa7131f9d29
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
4.1MB
MD50f396cc0dba8c2ef01e51ffa06bd2f93
SHA105bab98b65b1211b1207936f9e23626c7fd4eeee
SHA25617dfd514df0d171e7d96202740cdb98cc71444c580f5b317712b58bc8e74be1a
SHA5124685fb04d756177b28c9b8dd7cac28503d68d72d205869d25d2d8cacc50a2b9c973d2194942f5de1bd4e43e2d543904b0667c57dc9000eb2c1c43bbd47217128
-
Filesize
692KB
MD5280f907fe09b532583474aea8a15205d
SHA1165193945f3827df99147f688d0f9ad46b39f207
SHA2566da0c231bf78d66091086c1d6d54aa18a58b9b11146656437eda3b3a2e84ee8d
SHA5129225e327f8a7d8ec11eed15fb82a4b83c6c4f6f2d16542f4b102baa3dfd09b7edf0b7634aec69a925197e871042207a999491af662b2de3f83f8c2cc0f208699
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
238KB
MD514a0bb0b90ac5ca064a42f889dd0492d
SHA1119a3338e0814e9071b762d8bd5fff6ea2fda28c
SHA256d0a6076bc23382609a958b7d4d50a54b01d719e24bad56fa10d9da0b083349b6
SHA512024697eb4e1708781467396169c65e62fef5b8d65b7c1d434d28428ee7adf7628a92c1fe29c856fc1fde443337d2c48fdd42f304b350ee9d550e377e8e7d0a74
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD5ec564f686dd52169ab5b8535e03bb579
SHA108563d6c547475d11edae5fd437f76007889275a
SHA25643c07a345be732ff337e3826d82f5e220b9474b00242e335c0abb9e3fcc03433
SHA512aa9e3cb1ae365fd5a20439bca6f7c79331a08d2f7660a36c5b8b4f57a0e51c2392b8e00f3d58af479134531dc0e6b4294210b3633f64723abd7f4bc4db013df9
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
Filesize
1000KB
MD5682a7f133ba88c8f1187e35c5f634f0a
SHA1ad224531f313bdfcc9a7573b4c8693be2c1b283a
SHA256f804500d24302f9f1045446ed74ca2e3990ae4fbb1ce47786440885300c5f746
SHA512f4e7669920fbd89ccd4a2a232b85cd1ca1112787c313241cf00d709230f116ea42682a810990db4ede791a01b94ec0c4909dc44bab8864abe35be75c30d516e3
-
Filesize
171KB
MD54d1a4b3096f4a39f3a91df2f6efd43c6
SHA1af7b52300363fa6f5ce8b5f99f753a9b1e0af94f
SHA256ca5b5e71addd8a56460eefad5cd368a5f6aca71b7a2d6dcfb312f45d1ae6e20b
SHA512d7cc6cf36fa0da5c22b531f7b3f58cbbcc206aaa47d40ebc0256fa5ede758fa7f636f9b70fa8077664067c8cbd3b38633ef2ca1e2e8e349b3b05c3cec1f8afd7
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a4b7b7705d73382f2ca51df2aa268b08
SHA11ab95c9d122e222397466e1eb83b2ab82ef6c45c
SHA256a1cc115f0f56651f83ff82c481993c4367b651f0cc295e7ef48d178a43bfcc78
SHA512783a37780502890677a8e656198fc0a1559fd31c858ce95f5da4ba53e21f77e3220ff3214c590073748891759b39919179fbdaa39f3b3d3f8f71d21f3bed0bc0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a8046f185ac7e91975dbb780427d8df4
SHA177063923f0e36fe8364c64e6c5ee967e0275f938
SHA256c3af84bfcb1d93d70365815424c78a72d0dfb66ce9c4c49bf19a0fea5d917296
SHA5121627e5680dab4251eca801d9abe763ad3a4ee645acb5deeac33f186891c4ebc9463cdcdd4692cd9908ab4988a68611dc999efbc4ce3c4f52fcbc565feeceeabc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD577c4e5923c56dfe36a8a62d8f6e62d94
SHA1e237545d4bc1ecf8f432b1dfabc7d9ebc32c91a4
SHA25673bdf74c1ab2b77544dd246a7c3b9742c5c6a633bb96c9171cfbd6148a7e01b4
SHA51274f43fca9376c2fe409a8ef3dbf2018cdc2e913d36f1c552ac60e6b4fa076f4342057a47709e4a89c54a62644dbae7718cc26c41626978a5c534f761222e9f83
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD548c6757e8a4eb6dee1002d1cf242e3e1
SHA1f947f466d46c6239a4346ecd19f9cef77c005e11
SHA256f9f10af3f3bffc4d7a4e20224423b1aad193b15b4d4d7f4ba0cf094cab8716f3
SHA512f2f7bc03a09932db3cd2a6228eb808134f20f64adb11f430760bbc1e7ac8d0fb49543295f81e34d3c590f9c9cc307c0275496b0f6b0c55202742795688ec3639
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d8243b0fff76ede75781c3897da5de9d
SHA1dd7998086dae18c8626bec54e59f67e4e4e14d6a
SHA256e8da621dd934becab05822a27fc0c54a1548db59612a426ec671274d8ca256b5
SHA512d337d29df0bebf4259f6be673c6ec9394cc3129e78ce2cf143bcc7c80b4aab412be0526ae98977a57b0b7e81704a8165f88e1821782be9a1258a5cc670e6da49
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec