Resubmissions
29-02-2024 16:06
240229-tkj21sdh7t 1027-02-2024 13:03
240227-qat8fshe55 1027-02-2024 13:01
240227-p8648shh9w 1024-02-2024 15:38
240224-s2555sge7w 1023-02-2024 17:47
240223-wddmrsfc51 1023-02-2024 16:46
240223-t9yxgaee2z 1023-02-2024 14:52
240223-r81nkacd4t 1023-02-2024 14:41
240223-r2gbcabb95 1023-02-2024 14:40
240223-r1195acb5s 1023-02-2024 13:27
240223-qp9xfsge5t 10Analysis
-
max time kernel
219s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 15:38
Static task
static1
Behavioral task
behavioral1
Sample
6958ACC382E71103A0B83D20BBBB37D2.exe
Resource
win10v2004-20240221-en
General
-
Target
6958ACC382E71103A0B83D20BBBB37D2.exe
-
Size
232KB
-
MD5
6958acc382e71103a0b83d20bbbb37d2
-
SHA1
65bf64dfcabf7bc83e47ffc4360cda022d4dab34
-
SHA256
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
-
SHA512
ebfa8b6986630b3502409d38cdff54881e4bce48511c7ba4f027345296c29708112c19ec6c9181c4b0188fa1f5cbe17b3c5d44dc07f33858323c677ef9caaeae
-
SSDEEP
3072:FdfbYSFlTBL/A9OYh6++4hY7gfv9yPQxAVUmZAzsqvj1letKv/jbNRKCnrQbW:PbYSFH/AYYh9vERVUmSAQj1la9
Malware Config
Extracted
smokeloader
tfd5
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
STONE ISLAND
207.246.120.23:8140
Extracted
lumma
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
https://resergvearyinitiani.shop/api
Extracted
socks5systemz
http://cshworn.net/search/?q=67e28dd86409f47d4258fd1d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa1fe8889b5e4fa9281ae978f371ea771795af8e05c64bdb22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef716c8e6909e39
http://cshworn.net/search/?q=67e28dd86409f47d4258fd1d7c27d78406abdd88be4b12eab517aa5c96bd86e9928e49825a8bbc896c58e713bc90c94a36b5281fc235a925ed3e50d6bd974a95129070b618e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ef9d9d33c46a9214
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
6958ACC382E71103A0B83D20BBBB37D2.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe 552 schtasks.exe 4532 schtasks.exe -
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D7D.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\D7D.exe family_zgrat_v1 behavioral1/memory/400-137-0x0000000000360000-0x00000000009E0000-memory.dmp family_zgrat_v1 -
Glupteba payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1352-60-0x0000000000400000-0x0000000003122000-memory.dmp family_glupteba behavioral1/memory/1352-61-0x0000000005240000-0x0000000005B2B000-memory.dmp family_glupteba behavioral1/memory/3412-116-0x0000000005340000-0x0000000005C2B000-memory.dmp family_glupteba behavioral1/memory/1352-118-0x0000000000400000-0x0000000003122000-memory.dmp family_glupteba behavioral1/memory/3412-119-0x0000000000400000-0x0000000003122000-memory.dmp family_glupteba behavioral1/memory/3412-281-0x0000000000400000-0x0000000003122000-memory.dmp family_glupteba behavioral1/memory/3412-342-0x0000000000400000-0x0000000003122000-memory.dmp family_glupteba behavioral1/memory/4856-449-0x0000000000400000-0x0000000003122000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4004-238-0x0000000000710000-0x0000000000760000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
MsBuild.exedescription pid process target process PID 4152 created 2652 4152 MsBuild.exe sihost.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3484 netsh.exe -
Deletes itself 1 IoCs
Processes:
pid process 3388 -
Executes dropped EXE 15 IoCs
Processes:
BA77.exeDDDF.exeEAB2.exeEAB2.exeD7D.exe1658.exe1658.tmpwboot.exewboot.exe225F.exe35B9.execsrss.exeinjector.exewindefender.exewindefender.exepid process 3592 BA77.exe 684 DDDF.exe 1352 EAB2.exe 3412 EAB2.exe 400 D7D.exe 4848 1658.exe 3964 1658.tmp 2908 wboot.exe 1108 wboot.exe 4004 225F.exe 1848 35B9.exe 4856 csrss.exe 2764 injector.exe 3768 windefender.exe 4440 windefender.exe -
Loads dropped DLL 7 IoCs
Processes:
1658.tmp225F.exetaskmgr.exeD7D.exepid process 3964 1658.tmp 3964 1658.tmp 3964 1658.tmp 4004 225F.exe 4004 225F.exe 5068 taskmgr.exe 400 D7D.exe -
Processes:
resource yara_rule C:\Windows\windefender.exe upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 91.211.247.248 -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
EAB2.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" EAB2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
BA77.exeD7D.exe35B9.exedescription pid process target process PID 3592 set thread context of 3676 3592 BA77.exe RegAsm.exe PID 400 set thread context of 4152 400 D7D.exe MsBuild.exe PID 1848 set thread context of 4144 1848 35B9.exe BitLockerToGo.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
EAB2.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN EAB2.exe -
Drops file in Windows directory 4 IoCs
Processes:
EAB2.execsrss.exedescription ioc process File opened for modification C:\Windows\rss EAB2.exe File created C:\Windows\rss\csrss.exe EAB2.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3780 sc.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4676 4004 WerFault.exe 225F.exe 4596 4152 WerFault.exe MsBuild.exe 1140 4152 WerFault.exe MsBuild.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6958ACC382E71103A0B83D20BBBB37D2.exemsinfo32.exetaskmgr.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 552 schtasks.exe 4532 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
msinfo32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease msinfo32.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\IESettingSync Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" -
Modifies data under HKEY_USERS 64 IoCs
Processes:
windefender.exeEAB2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" EAB2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" EAB2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" EAB2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" EAB2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" EAB2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" EAB2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" EAB2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" EAB2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" EAB2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Modifies registry class 1 IoCs
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6958ACC382E71103A0B83D20BBBB37D2.exepid process 1648 6958ACC382E71103A0B83D20BBBB37D2.exe 1648 6958ACC382E71103A0B83D20BBBB37D2.exe 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
msinfo32.exetaskmgr.exepid process 3388 384 msinfo32.exe 5068 taskmgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
6958ACC382E71103A0B83D20BBBB37D2.exepid process 1648 6958ACC382E71103A0B83D20BBBB37D2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeEAB2.exepowershell.exetaskmgr.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeDebugPrivilege 1552 powershell.exe Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeDebugPrivilege 1352 EAB2.exe Token: SeImpersonatePrivilege 1352 EAB2.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeDebugPrivilege 5068 taskmgr.exe Token: SeSystemProfilePrivilege 5068 taskmgr.exe Token: SeCreateGlobalPrivilege 5068 taskmgr.exe Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeDebugPrivilege 3372 powershell.exe Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeDebugPrivilege 1512 powershell.exe Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeDebugPrivilege 2008 powershell.exe Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
1658.tmptaskmgr.exepid process 3964 1658.tmp 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 3388 3388 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe 5068 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exeBA77.execmd.exeEAB2.exeEAB2.exe1658.exe1658.tmpcmd.exedescription pid process target process PID 3388 wrote to memory of 5016 3388 cmd.exe PID 3388 wrote to memory of 5016 3388 cmd.exe PID 5016 wrote to memory of 3852 5016 cmd.exe reg.exe PID 5016 wrote to memory of 3852 5016 cmd.exe reg.exe PID 3388 wrote to memory of 3592 3388 BA77.exe PID 3388 wrote to memory of 3592 3388 BA77.exe PID 3388 wrote to memory of 3592 3388 BA77.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3592 wrote to memory of 3676 3592 BA77.exe RegAsm.exe PID 3388 wrote to memory of 684 3388 DDDF.exe PID 3388 wrote to memory of 684 3388 DDDF.exe PID 3388 wrote to memory of 684 3388 DDDF.exe PID 3388 wrote to memory of 2352 3388 cmd.exe PID 3388 wrote to memory of 2352 3388 cmd.exe PID 2352 wrote to memory of 536 2352 cmd.exe reg.exe PID 2352 wrote to memory of 536 2352 cmd.exe reg.exe PID 3388 wrote to memory of 1352 3388 EAB2.exe PID 3388 wrote to memory of 1352 3388 EAB2.exe PID 3388 wrote to memory of 1352 3388 EAB2.exe PID 1352 wrote to memory of 1552 1352 EAB2.exe powershell.exe PID 1352 wrote to memory of 1552 1352 EAB2.exe powershell.exe PID 1352 wrote to memory of 1552 1352 EAB2.exe powershell.exe PID 3412 wrote to memory of 2656 3412 EAB2.exe powershell.exe PID 3412 wrote to memory of 2656 3412 EAB2.exe powershell.exe PID 3412 wrote to memory of 2656 3412 EAB2.exe powershell.exe PID 3388 wrote to memory of 400 3388 D7D.exe PID 3388 wrote to memory of 400 3388 D7D.exe PID 3388 wrote to memory of 400 3388 D7D.exe PID 3388 wrote to memory of 4848 3388 1658.exe PID 3388 wrote to memory of 4848 3388 1658.exe PID 3388 wrote to memory of 4848 3388 1658.exe PID 4848 wrote to memory of 3964 4848 1658.exe 1658.tmp PID 4848 wrote to memory of 3964 4848 1658.exe 1658.tmp PID 4848 wrote to memory of 3964 4848 1658.exe 1658.tmp PID 3964 wrote to memory of 2908 3964 1658.tmp wboot.exe PID 3964 wrote to memory of 2908 3964 1658.tmp wboot.exe PID 3964 wrote to memory of 2908 3964 1658.tmp wboot.exe PID 3964 wrote to memory of 1108 3964 1658.tmp wboot.exe PID 3964 wrote to memory of 1108 3964 1658.tmp wboot.exe PID 3964 wrote to memory of 1108 3964 1658.tmp wboot.exe PID 3388 wrote to memory of 5068 3388 taskmgr.exe PID 3388 wrote to memory of 5068 3388 taskmgr.exe PID 3388 wrote to memory of 4004 3388 225F.exe PID 3388 wrote to memory of 4004 3388 225F.exe PID 3388 wrote to memory of 4004 3388 225F.exe PID 3412 wrote to memory of 2128 3412 EAB2.exe cmd.exe PID 3412 wrote to memory of 2128 3412 EAB2.exe cmd.exe PID 2128 wrote to memory of 3484 2128 cmd.exe netsh.exe PID 2128 wrote to memory of 3484 2128 cmd.exe netsh.exe PID 3412 wrote to memory of 3372 3412 EAB2.exe powershell.exe PID 3412 wrote to memory of 3372 3412 EAB2.exe powershell.exe PID 3412 wrote to memory of 3372 3412 EAB2.exe powershell.exe PID 3388 wrote to memory of 1848 3388 35B9.exe PID 3388 wrote to memory of 1848 3388 35B9.exe PID 3388 wrote to memory of 384 3388 msinfo32.exe PID 3388 wrote to memory of 384 3388 msinfo32.exe PID 3412 wrote to memory of 1512 3412 EAB2.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\90B7.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:3852
-
-
C:\Users\Admin\AppData\Local\Temp\BA77.exeC:\Users\Admin\AppData\Local\Temp\BA77.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3676
-
-
C:\Users\Admin\AppData\Local\Temp\DDDF.exeC:\Users\Admin\AppData\Local\Temp\DDDF.exe1⤵
- Executes dropped EXE
PID:684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E264.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:536
-
-
C:\Users\Admin\AppData\Local\Temp\EAB2.exeC:\Users\Admin\AppData\Local\Temp\EAB2.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\EAB2.exe"C:\Users\Admin\AppData\Local\Temp\EAB2.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3484
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:4856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:552
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:332
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1800
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:2764
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:4532
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:3460
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:3780
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D7D.exeC:\Users\Admin\AppData\Local\Temp\D7D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 4323⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 4203⤵
- Program crash
PID:1140
-
-
-
C:\Users\Admin\AppData\Local\Temp\1658.exeC:\Users\Admin\AppData\Local\Temp\1658.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp"C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp" /SL5="$A0048,4363644,54272,C:\Users\Admin\AppData\Local\Temp\1658.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\WBoot\wboot.exe"C:\Users\Admin\AppData\Local\WBoot\wboot.exe" -i3⤵
- Executes dropped EXE
PID:2908
-
-
C:\Users\Admin\AppData\Local\WBoot\wboot.exe"C:\Users\Admin\AppData\Local\WBoot\wboot.exe" -s3⤵
- Executes dropped EXE
PID:1108
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5068
-
C:\Users\Admin\AppData\Local\Temp\225F.exeC:\Users\Admin\AppData\Local\Temp\225F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 7842⤵
- Program crash
PID:4676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4004 -ip 40041⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\35B9.exeC:\Users\Admin\AppData\Local\Temp\35B9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1848 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:4144
-
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\LockUndo.nfo"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4152 -ip 41521⤵PID:1204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4152 -ip 41521⤵PID:3044
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD58ae7cc1ef4f1d40c7c9971da4057c3e0
SHA107727c3a24c7535000bd223e7c8fe8e4e749b418
SHA25661e3cd393587fb708017b9bd103dbdef9817e07daefb727164a5532ae3775445
SHA512a0d7a3c33d8e266d410cb4db4e10d3679c8a9c2eb8a9ed144c3c6ae92dd7a35eb3d03c6c633bcb240121298cdb7f20d41c07b2e42e2b6eb28154804f47cd4a9f
-
Filesize
500KB
MD53172411985e2fb51fd76d31bc7667eef
SHA10f52ec3d4c9f4fe8fdc5f2646faf2d0dff6f57fd
SHA256255f64836d162c0b164d8abc069a6c481a2e50263c2e0c9d753ad899303663ff
SHA512960bcdad82956cb5f0bbaab1caf6665802a5bd495fed182532bdba8d043d83a1ed04240cffbadcad0165376dbe51b74cde49e44cb9db434e9a5f56af47c8461e
-
Filesize
11.8MB
MD5450039a02217c53bd983eaf1fd34505a
SHA1930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
315KB
MD5b196aee0a5e061fef0df919c7218d8f6
SHA1c3e0cb601429a22ee3d636a21344c6d58b56b1c3
SHA2564010a68d26a450fc9ad24a82d72c10483690f67b3d9a592a156c0a6942f1169d
SHA5122f5b631f2b0604720d3451c4470e9bedaf74a50a60918bd1a154470ed16ac2b07989894646663e75147c1930aa0df22d634358b5334615408607e253cced39f3
-
Filesize
6.1MB
MD5c216c91b76de2935dfbaaebb91510caa
SHA13315a9876db6acdf38f80746d6c5e2369d55e3d8
SHA256c2c32ae662c78fff27c1002d69bd21c64a4934b2f7946fa2d0cf66343dbd2a4d
SHA51249fd59e0c7cadde5254d3c054d7cf0e68f9a2197e056fe116da4cfcf92bf3957d997cbae0c137ae0995c1b6de92b4f03365d1d0905fb62ddd5e45026098f20f0
-
Filesize
5.2MB
MD55be46aeeae3571f97010a6599658e8f7
SHA1a9930f8dc10343e922e66b4cd3cd89f27ce45564
SHA2564fc23d261873d255f0c86d3460c83099cefa03cc6bfd3505b5119c5b931b9665
SHA512fcc27a88410f15b19b0349fb1efcae1bf077cb50afd2dc038dbdccf828379e4b823ee87d272d93b5af3cffff3fff83e08f3067b30de200ec4f32ed4254bf43e6
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
4.1MB
MD54c02b2e8beed76dd1a09a9ca69b42806
SHA17f4d8f16967bffb93f710a13efcb231f53aa3c14
SHA2568e48cec9553839ea44224077e839cada345493c42a0d03607e85857462df89bb
SHA512899a70afcf0f83e1d370547b8d96c4fc40aa10257d6ae1de8e8bcdf4ef56e7e2eca705230e9a87bcfd3b43ffe043193b13cc233a8c09ad95335529ecf81e4225
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
99KB
MD509031a062610d77d685c9934318b4170
SHA1880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA5129a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
689KB
MD568b5435b6618aa82640eb05ba06ffc63
SHA1c9ce956e7fe6ad5bb127acad6ec8bbde2dccefa4
SHA256b38061ac87265174e7a4799555a51305351de9c8b1f420d6765914085699a2c5
SHA51295bd4fe5bca104ddf50e4b5933f9dc6f3b07a2c8d7b2b1779f4dc6a578b264bbb2ab4c12b9fa85b7971e73df3b476c0a5d15e8abb554d1446d58c3a835734b13
-
Filesize
3.5MB
MD5a806fbd7a2cbbc2205fa9ab2a1a7dd9d
SHA1f793166c313738fad2f82e28664834b5993bbdae
SHA256117b52c92dde952b53484ffda2ebaeab3879c4cd8c900673512aaf7251c55f64
SHA5120b7475fc32fd26778674082b626ba659ff8988d9294cdb3df770e59559d96f097ad79da6b17e4996f054f5e4f8c1192a653b852760455e6cede71920e591d659
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58b236b5f8ee67ef898fbd47c6259aabe
SHA1e549394a6d5332561a71a6a356f32f34b100b6a9
SHA256a74b6f3025017c202f6757b54db7212b0caec0ed72d6a59e7fa9ee0b404a1020
SHA512ddb15159dc340b1e4139c4b1276bae68245ecdef39cfb23ec02dd1dfe95a7c22c27a4d5a910d1f149794682d0924769cb9640a93a0f04ffc250de321ac8eb9c1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50386a7850f54d94b8e2de7b6cbf495f1
SHA1b0e2be802a967da809373ec6205ff4294db381ca
SHA25631746026e18b2597195759f1a43d2ab1780738e8a8aa3ee220a426590758ae95
SHA51241da0f89110832d27c078894660e5bf14e00eaf2ba3b6692e928c7d51f5de0d4788b245b92686be9be21c4bbb99ca1a590b8d122474dfc27f5c6bda526bd0f05
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5831380f3bb36f9ac25ff88e2646198dc
SHA16ca6023c3451fbcc5801b3b824f684166841cf44
SHA256160ba239b3c55b2dab6fe92201c62dfbe66efa3f75cdad0d57d98376c39a7e49
SHA512042ba9e16fa6739d3e37f00f4759bfc50367bd299f521ec3b419f217feb6fb91cfeeb57686133ced990f82afeaf51d51dcabb24e9e6a748d02f1b2e82e20c2f6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57db5ce9e9926e8dd1165482c8bdccad1
SHA19b008b2e3107d8829f3b3e5b737a56958e45e48a
SHA256fb03561413fdce4e21ca105167198c524bb932826408f716c217c043d0af6062
SHA512f35ed436c1e3942b2f1c6f95acc580eaeda0ac056b7d26690bcf5911f91bab1796fe2ea88b7f4986b36f355975802ef0865d88348acdebe182c9202d39d1e935
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a865bdbf0b5a1001469a003cd1f3f47f
SHA110da1e7820af693405d3560c86d8b30f98f2a541
SHA256f461d61dd8f5577ecf7a75f2e4b9a777db8927df4c90e820ed0ffbdc69d7b26a
SHA512948b35273ac0dc7179f5fea1e0147755d5e6df6a949e7ea4a929ec1dff1a7b60b2ebeb0a2557a9f978afb122a9e8147b6131b5eb020c992ce093ea08e6ba22d5
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec