Analysis
-
max time kernel
76s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
Resource
win10v2004-20240226-en
General
-
Target
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
-
Size
163KB
-
MD5
636c32103ef487d1c30df530296f014b
-
SHA1
f280007f3c78b0823d8978bec1c1cdf792bf5fc6
-
SHA256
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
-
SHA512
2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604
-
SSDEEP
3072:eQ37N6u0D0i+zGJKHZj+4M48iIp2WZnFzw0I:eK8u0Qi+yQHZEiIttw
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1160-255-0x0000000002D80000-0x000000000366B000-memory.dmp family_glupteba behavioral2/memory/1160-256-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4072-52-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4072-143-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1160-256-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1160-256-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1160-256-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1160-256-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables packed with VMProtect. 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3272-116-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3272-121-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/5092-125-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/5092-155-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/5092-218-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/5092-312-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/5092-318-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Detects executables referencing many varying, potentially fake Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1160-256-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
UPX dump on OEP (original entry point) 10 IoCs
Processes:
resource yara_rule behavioral2/memory/4308-43-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-45-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-50-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-54-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-40-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-55-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-142-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-156-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-162-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4308-245-0x0000000000400000-0x0000000000848000-memory.dmp UPX -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
40A3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 40A3.exe -
Deletes itself 1 IoCs
Processes:
pid process 3448 -
Executes dropped EXE 16 IoCs
Processes:
DDFC.exeF128.exeF128.exeF3D9.exeFB7B.exeFB7B.tmpcddvdspeed.execddvdspeed.exe40A3.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exe5555.exeBroomSetup.exensk5D50.tmp7820.exepid process 1152 DDFC.exe 2176 F128.exe 4308 F128.exe 4072 F3D9.exe 1208 FB7B.exe 4724 FB7B.tmp 3272 cddvdspeed.exe 5092 cddvdspeed.exe 3956 40A3.exe 1160 288c47bbc1871b439df19ff4df68f076.exe 60 InstallSetup4.exe 576 FourthX.exe 2908 5555.exe 2844 BroomSetup.exe 1852 nsk5D50.tmp 4360 7820.exe -
Loads dropped DLL 7 IoCs
Processes:
regsvr32.exeF128.exeFB7B.tmpInstallSetup4.exepid process 2136 regsvr32.exe 4308 F128.exe 4724 FB7B.tmp 4724 FB7B.tmp 4724 FB7B.tmp 60 InstallSetup4.exe 60 InstallSetup4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4308-43-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-45-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-50-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-54-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-40-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-55-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-142-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-156-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-162-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4308-245-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
F128.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" F128.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
F3D9.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 F3D9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
F128.exedescription pid process target process PID 2176 set thread context of 4308 2176 F128.exe F128.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 5332 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1928 1852 WerFault.exe nsk5D50.tmp -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe5555.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5555.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5555.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5555.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsk5D50.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsk5D50.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsk5D50.tmp -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exepid process 464 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe 464 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe5555.exepid process 464 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe 2908 5555.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
FB7B.tmppid process 4724 FB7B.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 2844 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeF128.exeFB7B.exeFB7B.tmp40A3.exeInstallSetup4.exeBroomSetup.execmd.exedescription pid process target process PID 3448 wrote to memory of 1152 3448 DDFC.exe PID 3448 wrote to memory of 1152 3448 DDFC.exe PID 3448 wrote to memory of 1152 3448 DDFC.exe PID 3448 wrote to memory of 456 3448 regsvr32.exe PID 3448 wrote to memory of 456 3448 regsvr32.exe PID 456 wrote to memory of 2136 456 regsvr32.exe regsvr32.exe PID 456 wrote to memory of 2136 456 regsvr32.exe regsvr32.exe PID 456 wrote to memory of 2136 456 regsvr32.exe regsvr32.exe PID 3448 wrote to memory of 2176 3448 F128.exe PID 3448 wrote to memory of 2176 3448 F128.exe PID 3448 wrote to memory of 2176 3448 F128.exe PID 2176 wrote to memory of 4308 2176 F128.exe F128.exe PID 2176 wrote to memory of 4308 2176 F128.exe F128.exe PID 2176 wrote to memory of 4308 2176 F128.exe F128.exe PID 2176 wrote to memory of 4308 2176 F128.exe F128.exe PID 2176 wrote to memory of 4308 2176 F128.exe F128.exe PID 2176 wrote to memory of 4308 2176 F128.exe F128.exe PID 2176 wrote to memory of 4308 2176 F128.exe F128.exe PID 2176 wrote to memory of 4308 2176 F128.exe F128.exe PID 3448 wrote to memory of 4072 3448 F3D9.exe PID 3448 wrote to memory of 4072 3448 F3D9.exe PID 3448 wrote to memory of 4072 3448 F3D9.exe PID 3448 wrote to memory of 1208 3448 FB7B.exe PID 3448 wrote to memory of 1208 3448 FB7B.exe PID 3448 wrote to memory of 1208 3448 FB7B.exe PID 1208 wrote to memory of 4724 1208 FB7B.exe FB7B.tmp PID 1208 wrote to memory of 4724 1208 FB7B.exe FB7B.tmp PID 1208 wrote to memory of 4724 1208 FB7B.exe FB7B.tmp PID 4724 wrote to memory of 3272 4724 FB7B.tmp cddvdspeed.exe PID 4724 wrote to memory of 3272 4724 FB7B.tmp cddvdspeed.exe PID 4724 wrote to memory of 3272 4724 FB7B.tmp cddvdspeed.exe PID 4724 wrote to memory of 5092 4724 FB7B.tmp cddvdspeed.exe PID 4724 wrote to memory of 5092 4724 FB7B.tmp cddvdspeed.exe PID 4724 wrote to memory of 5092 4724 FB7B.tmp cddvdspeed.exe PID 3448 wrote to memory of 3956 3448 40A3.exe PID 3448 wrote to memory of 3956 3448 40A3.exe PID 3448 wrote to memory of 3956 3448 40A3.exe PID 3956 wrote to memory of 1160 3956 40A3.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3956 wrote to memory of 1160 3956 40A3.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3956 wrote to memory of 1160 3956 40A3.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3956 wrote to memory of 60 3956 40A3.exe InstallSetup4.exe PID 3956 wrote to memory of 60 3956 40A3.exe InstallSetup4.exe PID 3956 wrote to memory of 60 3956 40A3.exe InstallSetup4.exe PID 3956 wrote to memory of 576 3956 40A3.exe FourthX.exe PID 3956 wrote to memory of 576 3956 40A3.exe FourthX.exe PID 3448 wrote to memory of 2908 3448 5555.exe PID 3448 wrote to memory of 2908 3448 5555.exe PID 3448 wrote to memory of 2908 3448 5555.exe PID 60 wrote to memory of 2844 60 InstallSetup4.exe BroomSetup.exe PID 60 wrote to memory of 2844 60 InstallSetup4.exe BroomSetup.exe PID 60 wrote to memory of 2844 60 InstallSetup4.exe BroomSetup.exe PID 60 wrote to memory of 1852 60 InstallSetup4.exe nsk5D50.tmp PID 60 wrote to memory of 1852 60 InstallSetup4.exe nsk5D50.tmp PID 60 wrote to memory of 1852 60 InstallSetup4.exe nsk5D50.tmp PID 2844 wrote to memory of 4956 2844 BroomSetup.exe cmd.exe PID 2844 wrote to memory of 4956 2844 BroomSetup.exe cmd.exe PID 2844 wrote to memory of 4956 2844 BroomSetup.exe cmd.exe PID 4956 wrote to memory of 2732 4956 cmd.exe chcp.com PID 4956 wrote to memory of 2732 4956 cmd.exe chcp.com PID 4956 wrote to memory of 2732 4956 cmd.exe chcp.com PID 4956 wrote to memory of 3432 4956 cmd.exe schtasks.exe PID 4956 wrote to memory of 3432 4956 cmd.exe schtasks.exe PID 4956 wrote to memory of 3432 4956 cmd.exe schtasks.exe PID 3448 wrote to memory of 4360 3448 7820.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:464
-
C:\Users\Admin\AppData\Local\Temp\DDFC.exeC:\Users\Admin\AppData\Local\Temp\DDFC.exe1⤵
- Executes dropped EXE
PID:1152
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\E9A5.dll1⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\E9A5.dll2⤵
- Loads dropped DLL
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\F128.exeC:\Users\Admin\AppData\Local\Temp\F128.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\F128.exeC:\Users\Admin\AppData\Local\Temp\F128.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4308
-
-
C:\Users\Admin\AppData\Local\Temp\F3D9.exeC:\Users\Admin\AppData\Local\Temp\F3D9.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4072
-
C:\Users\Admin\AppData\Local\Temp\FB7B.exeC:\Users\Admin\AppData\Local\Temp\FB7B.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp"C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp" /SL5="$601EA,2349102,54272,C:\Users\Admin\AppData\Local\Temp\FB7B.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i3⤵
- Executes dropped EXE
PID:3272
-
-
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s3⤵
- Executes dropped EXE
PID:5092
-
-
-
C:\Users\Admin\AppData\Local\Temp\40A3.exeC:\Users\Admin\AppData\Local\Temp\40A3.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3420
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:2732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
PID:3432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmpC:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 24444⤵
- Program crash
PID:1928
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
PID:576 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵PID:1944
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:5332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5320
-
-
-
C:\Users\Admin\AppData\Local\Temp\5555.exeC:\Users\Admin\AppData\Local\Temp\5555.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2908
-
C:\Users\Admin\AppData\Local\Temp\7820.exeC:\Users\Admin\AppData\Local\Temp\7820.exe1⤵
- Executes dropped EXE
PID:4360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 18521⤵PID:2344
-
C:\Users\Admin\AppData\Roaming\vdgddsdC:\Users\Admin\AppData\Roaming\vdgddsd1⤵PID:5036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
320KB
MD5fc9adc3be6d2f7b25cca4796edd030b6
SHA1f3fcf562fc81b282f9c57eba3d8a0bbb78eb4a42
SHA256880d80e81efe9cc4486e5ca44be1ffc1dfda08b15811700c482c47aa83e1887f
SHA512c20f4949b1a0227d694ed632fb7e339e407e1a2ccb78919c154d04ed35ea6630d897ec8966d5653f942612a452c87eb23eb15f23cac4b817b76b2a25e4ce71bd
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.5MB
MD5bd0af730b5aa6bb4ed361cdf57ca5e02
SHA14e2aad9d062125117ec45b264efb922f4aa7c767
SHA2561d025c2042b4aea56ae53595c8ef990cc5878d276139f38129d2f9019dba8337
SHA51201b38ffc3f5145b89756398b8469764e19ccec64f887324f4ea9ff93f76060cf378e430b57974d7751f65405a31650e848f88ed098789f6b578cde0d8ba51d0e
-
Filesize
1.1MB
MD55c5f370c61a6a5983503033353777995
SHA113d63a5c9c5130883d03352e2d50048299a737ce
SHA25657d2fbd1da84559a9dedd903b9dfacbc3e7807df7855703055b807e71aae64ce
SHA512713163044c3c6419da016f70c493cd450993eddeb92134457b4eb4f3aa23c1652ae574a238f5bb8e5041a7e2993d111313a29ea4537ce6bd01225d1142e5b683
-
Filesize
576KB
MD53fa073ec19cd4f54f6bae08997c4eb42
SHA1e85d64a440bb0b3d7aee8453377be3a72e8a37d4
SHA2567ea83bdcfaef69652a88b9968b72b1136f69464861a1d4249a61f91d511a021c
SHA51264e47d8e39a32df79f4dd1d04c5be642ce94afc28a4240bd20a33783125ca3a12f430754ea7b70de15b9ad3b4817479ce26a5207f687b5c6eda6feb219929a56
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986
-
Filesize
2.7MB
MD5a112d52e38281dd98a9257d14cd61869
SHA18897dfcb3b7d8e8dc4afae85b8467596237f2479
SHA256b7e63792be942d46cc141691d71308fcde132cd63a788922f63dee30065313d8
SHA512cf1e2141036e7ed3f1407712a80a61dcd77ae0ae55e87057b8dded3aa51724d0944d5f5f165583fc6c59a6c8f14a62ec514b12893ed8cbf7c8d782c055b39ca8
-
Filesize
2.0MB
MD5b8bbbebf6a96db29f8a6c2c3e2726b72
SHA1074958a02f3c65261dfe5d4c349b7af4849ee707
SHA25625acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39
SHA5121f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74
-
Filesize
3.9MB
MD56e823d0939a45b0898acd98d9199e2ac
SHA1d5cefac791796cacd8a5e584c33260fb13f6ce21
SHA25610337b67728d93fa4b79e6dcf029a1ee1a4680c098c87e8fe1425e5788d1b1b0
SHA5120b5e0943f40680ceb41825a60ddaf4ae60c4099d13593b09cd16abed87c88f2daafd90fe8443643f3cf0e2422bf702679207d86b2a8eec8ba9edade5cffcf676
-
Filesize
3.1MB
MD50866b1a679c5089c802afca72bb3a57f
SHA12a2810c95ebebfb258947574c3eb1089a606a118
SHA25650a8268fd89cba268a210c6f96ac6f342dbcd7b988ab6498c2df9e608097b02a
SHA512ed3c22ace7add1e7d374b44a49c28969cb49c83459652955415d5d3eac26d43d63bf8720cb86536f29a3f9e44f7f3b352d4376112e6484ff3cf262e6ec057a66
-
Filesize
2.6MB
MD5b0ca41b249e5621a4033dc3c024af9f0
SHA1de5ffceae5a0aee20d080096792eac80d1866e1c
SHA25609cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff
SHA5129e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87
-
Filesize
2.8MB
MD502a68215f77ef263c158f621d09beff4
SHA1ddc8ed5f58de8c18abd15f1bd987e31ff65b7f50
SHA256f5e8c81a5359189a8ba8d7a38f994b73b2d56d5d62269cfa29ef9144ef51771f
SHA512e6e7b478443c89cb5e9235a14ca159a1068d48df0f08df2f207df4390d2a2727c096b3905c95d9a35d478c0441e857d99b0d0983aed484a8eafe317843408b40
-
Filesize
245KB
MD5fbc2d00d3becdb29396535bc33ec9f1e
SHA1cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA51255399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa
-
Filesize
4.4MB
MD5b0bea351be866ef906b3833c4895098b
SHA1c45fdd52e15ed7fe23b403256bf6a5c2fe5544f1
SHA25687ca94756569c50ea27472db9ac4e7744c9b073977e2ef24d7cb9018beb19dc1
SHA51227700675f77ade6f32dc805faa350885414429ff14e7d5df936c0a6f352241c96edef976c68bdb4bb15e1be11a3cda91e68daf07539a2e20f6863a90092c0aea
-
Filesize
4.5MB
MD5e05338227a83124f557ed756094a6ff4
SHA1e759c022e482be13c8650b20832eebfb7f97f850
SHA256c38e43aa8cd2dc76fda3afbd06a7762beb58ad9e971a09a299a82ab670486fe6
SHA51295d9f77fae36ba27c6dda9c27f72c16e882278d5b732528223cd41386a11d538a96d20ec8bb309821f2f3f947259c242d78b91ab7c42332b79d0657dff94ae7c
-
Filesize
832KB
MD5493aaadcde8cc6b5c52ac667397b90f7
SHA12e00ab93263174991fdf98db28f513a50e43ea0c
SHA25667b68339c2c694cf43321c5f039a5a23fbfa015fe5ef221d5e4260f1bc0e4d7c
SHA512f9289fc0734b29060d8fe3b5c0060c79cf9831d56642f09810231d01363a9e4c82522385ec6078cd7b4fda30f436e7acb50636add20c4385b83142727c832716
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
320KB
MD5c63893c98236d8df8e0dd6363b504ebe
SHA1876082f00af9318877dbd19ad499b268e144ddc2
SHA25641c42d40dd28ef8db44ed6a04d058e6082016bba29cda362c38f98d4eebd9b17
SHA512078badac8f6f81f91f44c617f50648a5678aff3797f84c75f16c57af3ed34f55871d6ff0938c3ac56300e7405929dc80d4dbfa6e8ad45449d1d0b920832bc4de
-
Filesize
1024KB
MD534c292f7112a9db3194e6c78ab2fe7b1
SHA1150dd5ac6efd93b95d167897a2c870c5125df0ab
SHA256c029d47b22cb4a9cc49bbc1bde9983bf675f6a981fce1e5fb7f62a9bc54c8f01
SHA512f44ed24daaf28441776952fe821d2de7b1a0f6b2800a3d75eabbf15a37e85c35b8d788fd86ae674468a2f16c6c49b33610b2ad988a2cea62b9a3d2d6790ea6be
-
Filesize
1.0MB
MD5358f99ebd079aa6e78769e5cff5d3e46
SHA13d39c422633fc9cc7a01eac78b08333be32b5477
SHA256322043f6f8a01961ffccffc1b9291eb449b3a75c640842512d77e51438b76b1f
SHA512244fecf5442dab6087ecd052df275f5cb0b02a8fddaef8cc8d83f669cdc8b75e04d898d2ad51b9216f9d60b1a130ba87f3cd8d1d8474c209597dfa24a1b1a4f1
-
Filesize
960KB
MD5987421f9217166a36da6186bb4f6af33
SHA128c4673b54e9df462b2e884c841ac83287d577d5
SHA256de4f8f970a60c8087aabe2b2ef3092221965d22ba5ae424c9502143bdb66979f
SHA51215abd8ab39176db089e054205e36297421fb0a4f999cbcca2c6b16993a0b2b9adbc10b11e9210b9611c2991e672c77ed1cf3eac1330bd8ceda094f407121e665
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
1.5MB
MD577a5e9efa3995c196674c746fb575cc1
SHA1db4b08a0f7299f69c053bc06685e2c66c639ad4b
SHA25600bcc13982d971952278aca7196e3b527e4364c949f9b318d8d037c657b66cb8
SHA5126b163d2506f603e8f6ea3a3781087a54ebb69a48ad9ed071291a0776287208cff8adbd9ad0f8f05c02b8ef80ff79a73f12e58ae4c6b2068f0076bc3f63d9c0e0
-
Filesize
704KB
MD506a12cfd82d77ade49961ab5d7f38d74
SHA125cba6cc18b436fc6d66f9f034594a09c1d59060
SHA256417b78b02783b07671924839526cc29ab5bac23dbae4a574204cd5e7ad2cb6aa
SHA512dfa2e2075324f42f8a4497115e8542a031da5a5381088c9ece9fd5a9fcdecbe97b0084482afc3fd65ae84ef9fd7e89ca0fe7376436cf3069663ec27a17c91dad
-
Filesize
1024KB
MD5f26249769d27c4988588974f0afc5ad0
SHA1e8b18cd33637ba0baebb2e1e0140103debcc264a
SHA256473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363
SHA512805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd
-
Filesize
1.7MB
MD5d36d5fcf6f7e6c67304fed7123a7f816
SHA1e8fd7e15c0e589532c8c2f908f68db1c39b326c5
SHA2561a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657
SHA51239927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa
-
Filesize
960KB
MD5cf71d723e6a3a2abdb69313657a0862f
SHA19fae6ddc3f0a9e3c874a278435946d83f3f9ab1c
SHA256ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125
SHA512b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e
-
Filesize
1.5MB
MD57ce260e2a94335863c529cd646dfd240
SHA130be5706d4307cb9c494f5bb4c6ef5f6dbc1184d
SHA256977fe08d953af92974b34964f1015b77634e782ccfafbf778374b65e49cdcd60
SHA512adbd00a1d88012136333e60272ce1256a21f74fe97299fd4a7c153d00422201c7387ee9b0cd6939b5d83e2c73cdcfee23905ee3cd5322da98e318f822db93375
-
Filesize
1.3MB
MD50e1985f3d4f4c70a8750ff5cf4114471
SHA117aface74c6982fc5547a5aad3b5b2fa4655088a
SHA2563658d1f63f8a33bf32f2aae9461d6371fa009e0ccc2339c960dced55ff354edd
SHA5121b9b545cd2668ba6aa2ce6a9910d4d6fa6b1aa0e4b21e433510790aa37c48e0bacc3d8e67aa42103c5d2632136c529a9a784e2510c9d9870bc75bb40c897b1b5
-
Filesize
1.3MB
MD5c3f0460a60fb14edf70f84e635349d81
SHA16cdeee2227100b06b43d27a5f9df9769fcb29adb
SHA256d0db9fd6f1adbdc15620d6ea5daeda8cca07e59b94fc5ed83eadc11ce8bb227e
SHA512a09f2e2946c0c2132703347ffb3d88e802ab7080827743686ef662efaacbeb58036f2f34fbe081b434fc72d980678eaef81e9d9e8ee5c40e9cc55b261966782b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
256KB
MD51756d6fc7bf4213c8f0a521cd42d0ac6
SHA1871962e45061751468d940000ee536794c269532
SHA256c4b71ffb200f4b41f95b23aa3a2b90e6f87e5cd7ca4a9234e33ed441dcde7594
SHA512694a8b76ffd5a1b78d63b628680e8997dbc0f06c4524804cd9da4e4d015c586c5a9145190a6dc44464592ac717df83ccce53401d68cd48703f932c6340e192ad
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
246KB
MD5c7f4dfe314dd61bc9ff56fdffe58bc58
SHA192149a4cc12b6e284f672897408ed7fe2c08cd39
SHA2563eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA51209f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e