Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 05:44
Static task
static1
Behavioral task
behavioral1
Sample
eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe
Resource
win10v2004-20240226-en
General
-
Target
eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe
-
Size
163KB
-
MD5
3f9534333f6ccc480bfeabed25adecd1
-
SHA1
7b89fd831fc51fae94e0f0a65f4b25303074c406
-
SHA256
eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b
-
SHA512
22ede8f378c57498ecaa3fdbfce1393857721dbddec69047d729ea5629a68ee625ec0141650cd3d5c794477836c8e37c9922fd0904c686d05b2dd3ac4c4aaf8b
-
SSDEEP
3072:aZ3vfdGdDEaLL3ZnWQ/Qr0A6AVJsbEaBkeL/2UIO8cLzhQr:aFlGdQaP9L9AHsAa6cb8cnhQ
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4312-392-0x0000000000A20000-0x0000000000AC2000-memory.dmp family_socks5systemz -
Glupteba payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4416-189-0x0000000002DA0000-0x000000000368B000-memory.dmp family_glupteba behavioral2/memory/4416-190-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4416-222-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4416-415-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4428-368-0x0000000000400000-0x0000000001A2A000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4428-368-0x0000000000400000-0x0000000001A2A000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4960-48-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4960-137-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4416-190-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4416-222-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4416-415-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4428-368-0x0000000000400000-0x0000000001A2A000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables Discord URL observed in first stage droppers 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4416-190-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/4416-222-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/4416-415-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4416-190-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4416-222-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4416-415-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4416-190-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/4416-222-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/4416-415-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables packed with VMProtect. 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3444-110-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3444-113-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/4312-118-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/4312-148-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/4312-207-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/4312-351-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/4312-387-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Detects executables referencing many varying, potentially fake Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4416-190-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/4416-222-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/4416-415-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule behavioral2/memory/516-35-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/516-36-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/516-33-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/516-37-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/516-38-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/516-44-0x0000000000400000-0x0000000000848000-memory.dmp UPX -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3952 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E17C.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation E17C.exe -
Deletes itself 1 IoCs
Processes:
pid process 3428 -
Executes dropped EXE 18 IoCs
Processes:
9B75.exeA867.exeA867.exeAB56.exeB104.exeB104.tmpcddvdspeed.execddvdspeed.exeE17C.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exenscFED4.tmp19E2.exe475C.exevueqjgslwynd.exe288c47bbc1871b439df19ff4df68f076.exepid process 456 9B75.exe 3652 A867.exe 516 A867.exe 4960 AB56.exe 3700 B104.exe 4596 B104.tmp 3444 cddvdspeed.exe 4312 cddvdspeed.exe 1684 E17C.exe 4416 288c47bbc1871b439df19ff4df68f076.exe 4516 InstallSetup4.exe 4724 FourthX.exe 2504 BroomSetup.exe 4428 nscFED4.tmp 1808 19E2.exe 632 475C.exe 2628 vueqjgslwynd.exe 1696 288c47bbc1871b439df19ff4df68f076.exe -
Loads dropped DLL 10 IoCs
Processes:
regsvr32.exeA867.exeB104.tmpInstallSetup4.exenscFED4.tmppid process 2888 regsvr32.exe 516 A867.exe 4596 B104.tmp 4596 B104.tmp 4596 B104.tmp 4516 InstallSetup4.exe 4516 InstallSetup4.exe 4428 nscFED4.tmp 4428 nscFED4.tmp 4516 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/516-35-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/516-36-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/516-33-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/516-37-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/516-38-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/516-44-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
A867.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" A867.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
AB56.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 AB56.exe -
Drops file in System32 directory 5 IoCs
Processes:
powershell.exevueqjgslwynd.exeFourthX.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe vueqjgslwynd.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
A867.exevueqjgslwynd.exedescription pid process target process PID 3652 set thread context of 516 3652 A867.exe A867.exe PID 2628 set thread context of 1020 2628 vueqjgslwynd.exe conhost.exe PID 2628 set thread context of 4956 2628 vueqjgslwynd.exe explorer.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4432 sc.exe 3444 sc.exe 2980 sc.exe 2640 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4512 4428 WerFault.exe nscFED4.tmp 4296 4416 WerFault.exe 288c47bbc1871b439df19ff4df68f076.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe19E2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19E2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19E2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19E2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nscFED4.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nscFED4.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nscFED4.tmp -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exepowershell.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exepid process 1412 eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe 1412 eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe19E2.exepid process 1412 eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe 1808 19E2.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
powershell.exepowershell.exepowershell.exe288c47bbc1871b439df19ff4df68f076.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeDebugPrivilege 1996 powershell.exe Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeDebugPrivilege 4276 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeDebugPrivilege 4416 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 4416 288c47bbc1871b439df19ff4df68f076.exe Token: SeLockMemoryPrivilege 4956 explorer.exe Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
B104.tmppid process 4596 B104.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 2504 BroomSetup.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3428 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeA867.exeB104.exeB104.tmpE17C.exeInstallSetup4.exeBroomSetup.execmd.exedescription pid process target process PID 3428 wrote to memory of 456 3428 9B75.exe PID 3428 wrote to memory of 456 3428 9B75.exe PID 3428 wrote to memory of 456 3428 9B75.exe PID 3428 wrote to memory of 3280 3428 regsvr32.exe PID 3428 wrote to memory of 3280 3428 regsvr32.exe PID 3280 wrote to memory of 2888 3280 regsvr32.exe regsvr32.exe PID 3280 wrote to memory of 2888 3280 regsvr32.exe regsvr32.exe PID 3280 wrote to memory of 2888 3280 regsvr32.exe regsvr32.exe PID 3428 wrote to memory of 3652 3428 A867.exe PID 3428 wrote to memory of 3652 3428 A867.exe PID 3428 wrote to memory of 3652 3428 A867.exe PID 3652 wrote to memory of 516 3652 A867.exe A867.exe PID 3652 wrote to memory of 516 3652 A867.exe A867.exe PID 3652 wrote to memory of 516 3652 A867.exe A867.exe PID 3652 wrote to memory of 516 3652 A867.exe A867.exe PID 3652 wrote to memory of 516 3652 A867.exe A867.exe PID 3652 wrote to memory of 516 3652 A867.exe A867.exe PID 3652 wrote to memory of 516 3652 A867.exe A867.exe PID 3652 wrote to memory of 516 3652 A867.exe A867.exe PID 3428 wrote to memory of 4960 3428 AB56.exe PID 3428 wrote to memory of 4960 3428 AB56.exe PID 3428 wrote to memory of 4960 3428 AB56.exe PID 3428 wrote to memory of 3700 3428 B104.exe PID 3428 wrote to memory of 3700 3428 B104.exe PID 3428 wrote to memory of 3700 3428 B104.exe PID 3700 wrote to memory of 4596 3700 B104.exe B104.tmp PID 3700 wrote to memory of 4596 3700 B104.exe B104.tmp PID 3700 wrote to memory of 4596 3700 B104.exe B104.tmp PID 4596 wrote to memory of 3444 4596 B104.tmp cddvdspeed.exe PID 4596 wrote to memory of 3444 4596 B104.tmp cddvdspeed.exe PID 4596 wrote to memory of 3444 4596 B104.tmp cddvdspeed.exe PID 4596 wrote to memory of 4312 4596 B104.tmp cddvdspeed.exe PID 4596 wrote to memory of 4312 4596 B104.tmp cddvdspeed.exe PID 4596 wrote to memory of 4312 4596 B104.tmp cddvdspeed.exe PID 3428 wrote to memory of 1684 3428 E17C.exe PID 3428 wrote to memory of 1684 3428 E17C.exe PID 3428 wrote to memory of 1684 3428 E17C.exe PID 1684 wrote to memory of 4416 1684 E17C.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1684 wrote to memory of 4416 1684 E17C.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1684 wrote to memory of 4416 1684 E17C.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1684 wrote to memory of 4516 1684 E17C.exe InstallSetup4.exe PID 1684 wrote to memory of 4516 1684 E17C.exe InstallSetup4.exe PID 1684 wrote to memory of 4516 1684 E17C.exe InstallSetup4.exe PID 1684 wrote to memory of 4724 1684 E17C.exe FourthX.exe PID 1684 wrote to memory of 4724 1684 E17C.exe FourthX.exe PID 4516 wrote to memory of 2504 4516 InstallSetup4.exe BroomSetup.exe PID 4516 wrote to memory of 2504 4516 InstallSetup4.exe BroomSetup.exe PID 4516 wrote to memory of 2504 4516 InstallSetup4.exe BroomSetup.exe PID 2504 wrote to memory of 2628 2504 BroomSetup.exe cmd.exe PID 2504 wrote to memory of 2628 2504 BroomSetup.exe cmd.exe PID 2504 wrote to memory of 2628 2504 BroomSetup.exe cmd.exe PID 4516 wrote to memory of 4428 4516 InstallSetup4.exe nscFED4.tmp PID 4516 wrote to memory of 4428 4516 InstallSetup4.exe nscFED4.tmp PID 4516 wrote to memory of 4428 4516 InstallSetup4.exe nscFED4.tmp PID 2628 wrote to memory of 4432 2628 cmd.exe chcp.com PID 2628 wrote to memory of 4432 2628 cmd.exe chcp.com PID 2628 wrote to memory of 4432 2628 cmd.exe chcp.com PID 3428 wrote to memory of 1808 3428 19E2.exe PID 3428 wrote to memory of 1808 3428 19E2.exe PID 3428 wrote to memory of 1808 3428 19E2.exe PID 2628 wrote to memory of 2012 2628 cmd.exe schtasks.exe PID 2628 wrote to memory of 2012 2628 cmd.exe schtasks.exe PID 2628 wrote to memory of 2012 2628 cmd.exe schtasks.exe PID 3428 wrote to memory of 632 3428 475C.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe"C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1412
-
C:\Users\Admin\AppData\Local\Temp\9B75.exeC:\Users\Admin\AppData\Local\Temp\9B75.exe1⤵
- Executes dropped EXE
PID:456
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\A28A.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\A28A.dll2⤵
- Loads dropped DLL
PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\A867.exeC:\Users\Admin\AppData\Local\Temp\A867.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\A867.exeC:\Users\Admin\AppData\Local\Temp\A867.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:516
-
-
C:\Users\Admin\AppData\Local\Temp\AB56.exeC:\Users\Admin\AppData\Local\Temp\AB56.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4960
-
C:\Users\Admin\AppData\Local\Temp\B104.exeC:\Users\Admin\AppData\Local\Temp\B104.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp"C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp" /SL5="$90162,2349102,54272,C:\Users\Admin\AppData\Local\Temp\B104.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i3⤵
- Executes dropped EXE
PID:3444
-
-
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s3⤵
- Executes dropped EXE
PID:4312
-
-
-
C:\Users\Admin\AppData\Local\Temp\E17C.exeC:\Users\Admin\AppData\Local\Temp\E17C.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4428
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:3952
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 8843⤵
- Program crash
PID:4296
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:4432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
PID:2012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nscFED4.tmpC:\Users\Admin\AppData\Local\Temp\nscFED4.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 20444⤵
- Program crash
PID:4512
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4724 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4420
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4264
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:3444
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:2980
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2640
-
-
-
C:\Users\Admin\AppData\Local\Temp\19E2.exeC:\Users\Admin\AppData\Local\Temp\19E2.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1808
-
C:\Users\Admin\AppData\Local\Temp\475C.exeC:\Users\Admin\AppData\Local\Temp\475C.exe1⤵
- Executes dropped EXE
PID:632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4428 -ip 44281⤵PID:1448
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2628 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4788
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2680
-
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4416 -ip 44161⤵PID:5012
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
1.5MB
MD5bd0af730b5aa6bb4ed361cdf57ca5e02
SHA14e2aad9d062125117ec45b264efb922f4aa7c767
SHA2561d025c2042b4aea56ae53595c8ef990cc5878d276139f38129d2f9019dba8337
SHA51201b38ffc3f5145b89756398b8469764e19ccec64f887324f4ea9ff93f76060cf378e430b57974d7751f65405a31650e848f88ed098789f6b578cde0d8ba51d0e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.8MB
MD593df53829d7ff15b36cca0997bdf9523
SHA185961b7b321c9492e276ada800debaa55c9c1d59
SHA256107f6e6bf02253e4453b28539faa31bbcdd8c7048373fd3678aeec3e4faf2e5c
SHA51237edf278c32461498cf9fb723806553f8f99f00eda1e8fd3b314733759f249cc9db11db400b0a2e8985b1bdbb31749f80e4608f03c783e95fe5a144437337f16
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
2.2MB
MD54fd907bc808a1ef6f8fb9796bba2ee72
SHA1f02332b1bfe440cd89ca5868c537fa83ed6686c3
SHA256e08e7078a2a36df686ad938710b22c11b2cc5da7c55b18167a98d11e4a3f00ad
SHA51216aac4bb4afcba566cb20751a3048ebcad37371fd419b2362cd50b53ee0cee4eeb6e4c8b1b84fd3f78930c6de75c34ff1b66114eaba929e6eeaf9fb735afcda9
-
Filesize
1.7MB
MD5ff0546c208045c0825dd3bfe90ef3faf
SHA1278999e554e5363a7c7f2f7355c67ad2e875b2fa
SHA2565cd2bfec348fe210475f230fb27c73a514ebcc5bf9e94e1389e273059f482746
SHA5128040a04b8cf35b6696f8134e07625d4f818484d728c5ae1203e52eb88ea3e9dd34b3bd520430fd7d7d7346fb7b1af546468bcb0ca702cfeb9fc3bc7338e98e94
-
Filesize
245KB
MD5fbc2d00d3becdb29396535bc33ec9f1e
SHA1cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA51255399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa
-
Filesize
640KB
MD5ab43192ad620e08c545c7f7c4b52802b
SHA1090a9c43a6be4ead3385a92bb4779865ed10127d
SHA2564d69fa18d7f1fac5f56f9396b65057a21f42a13349b83cbe7291f00fc0b989db
SHA5121dcb00254d0ad110ebfa0e4cd267e31930f633f6762c3226579e62693401a465a8f9d0094d57354bb545ce5a5c2b15292c555506549b1dbcfae7629d91e0bbe0
-
Filesize
1.7MB
MD50f68106658c054bde5c705e5b1f000e6
SHA15cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102
SHA25658d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c
SHA51230bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e
-
Filesize
1.9MB
MD5eab2fcd5ec933106a83b15fac38a8694
SHA113fa5c0464e1be041adb926aa61e90636463863d
SHA256652e0d8953899a43735e3a819818674d9f4c1215b7c55d12424273102058698c
SHA512e1e2cc108211d8efab0060aba41acc105b84f0ccf0fc88ae4214027e2b3d1e305d48371a352b3e168a1cc208ba5e31106cc7bdb6ed2c0d243ae093337d52e523
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986
-
Filesize
2.2MB
MD5e2e72850cd8cb2e9e1d25276b097b4b1
SHA1dfcc53d6f6dce8a7239d2e60c8314cfb2447f447
SHA256c5526ce4c6edb5a574750fe7b446e92dd591cb1226f168e2b128c84b82b47484
SHA5125681d2c73d083dcb7105db3e1e623013a4cf85e696105b916dcd51f6580710c9e91bc800357dcd2ccf32edb655230c1276a33576032b6e5c96a52e7be4071cc0
-
Filesize
1024KB
MD5eaa244bcc280805a06303b283c342413
SHA122bf3cecb67b58a2b8f506a7e0e3e9c2a50c7fa1
SHA256dedccef043421417a11bdd1623f8ded11939c6f7ac2ba82d62facb75226549cc
SHA51291e34d6e4a035566fd4579d74e68b02e2721ad839ee080c17b0c455ec52cc8e32a85493b3d81edbcd43bc02d5942326471d4c7330f433fe33b486c540d6f071e
-
Filesize
2.6MB
MD5b0ca41b249e5621a4033dc3c024af9f0
SHA1de5ffceae5a0aee20d080096792eac80d1866e1c
SHA25609cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff
SHA5129e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87
-
Filesize
7.5MB
MD529c74e5c6c3fe79311b0d35809d8b7d6
SHA17e2da3fa3a02cf37df1ce6bc91a4dfa7fbf40351
SHA256a43dff0c2459e985a3a51652846be31f2214253db1ce4982a05443f557d3edba
SHA5123d52180d95fcb0de250dbe15b9764ddfc2504db7ed2be3660c6b359a0b16a02831e37b8a939a9edf8f19ee53ab11708e7776b19a53afa766a65a20213f787e02
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
1.7MB
MD5350842cb91aed3da670b1ef73e65b70c
SHA18cf17bb1afa04e12437f543237e5c659ece4a207
SHA256b89f43a42be0f8b1fd6600c6db28a3e6fc86f4831f10a7c6ea1603c3d8b29e26
SHA512b23d3330a6b348299ffdfd0fa49091aa5bd8355866ed5aed768fc14f2c711671ca2a8d8bafecfc568654ad27e556579e5995d88b46bce6a3f3f4c5876396e1a0
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
2.2MB
MD5507c0587f547e4d752fef1eee444688c
SHA1dc40e87cb42dcd196ada46a6361c2abc27d575df
SHA256fb56ea35195cb286ca68ee0966cdbc0fe50a2ae2b408588add239099be52d584
SHA512a55c5833543c6f4695ffe6435688fde5fca08086f2e75a266d6437ff15e697127bef33863de6d7367f17be60881a73402f5a39ae9566352ad433f16ebcdeabf4
-
Filesize
2.1MB
MD5baa4e78169a0d50f8d868ca9cdb1b166
SHA1bf3e4f0fac7be83d03949a47e356bc11c7b4b2a3
SHA2569242271452141bf9010b9769bcfe344748468861cf6d6c424cabaf0c47a3f830
SHA51258203086b3892877b2e9e156e3ba5cd7db341ed46f3d978e5b3886b9dbf9948795349b3ebbb2216ca0b7dc4205c6bd4cbd3fa23a9a713ece2e9ec54aed4ee3bf
-
Filesize
1024KB
MD52ca32a64d491385b9191b77cd9e1245e
SHA13689280aeae1870caec7d5a32c5b0ae6be4f310a
SHA256eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae
SHA512a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f
-
Filesize
1.5MB
MD5fa436ac081f0353e4c8a7a20547280d5
SHA17c2006a60a591139e619190b9ff1663d22e7c761
SHA25601f3d6aa8bb750c954f544e8b466c10807cbe274429b07a81155fba8e9e006a6
SHA512a4693cf957b52f05c99d42901ab7403a78ce4272e9825732d2242eb0e3dafb45e882b4068e7fb0ec5d36f345ead4e691100213b3732d6684f04655b409a3c27c
-
Filesize
768KB
MD5891b0ecba023c942258e77f219e08e47
SHA1b6902ef9eef4c4822532c059656e67606090d1f9
SHA256cde4d1fb53812f82a6ae30d9fe315b2a27fd77900f27c9ed3a6b49c21e51b330
SHA51290867d45c751c0c0c685b980cc772a8cbe4a88378bc5cfe5187ce23e38005c102d5dfb95ec8fb63557caf9c0b2ac8c07320baf39159cde85f2f20c273ae1c0df
-
Filesize
1.1MB
MD556b83c068dc6c8df9c02236e9587cd42
SHA19803091206a0fff470768e67577426cce937a939
SHA256678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb
-
Filesize
1.1MB
MD510da85ae04da6c225fd4ea9d204378c9
SHA1d3730e020f9e2a5c217926180d44b65a91cf6a4a
SHA256d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5
SHA5121cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69
-
Filesize
704KB
MD5029a5147d2f0d080800b095d06298a55
SHA16d53b0c00f128318d23de9db082989e30369baad
SHA256cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c
-
Filesize
1.8MB
MD5682fc35530a6dc6f2bdfad98ecd7eae2
SHA110666b26129587b4a564fb59d367539f57c76ca3
SHA25683414b912a4ba1cbfea8b625890291ae866860408ed45da5923d1a67ea7c4101
SHA512ea68038310a51b183dfee7acabd61cad8d93372f30321ec0ed9ccf53016c82b7133b90930fcff107f42582f7a65315f2cf5ba8078597cf275fb45c6881da25da
-
Filesize
1.6MB
MD5bf254ad5640e2dadab1c1aee4847c749
SHA141cdb51034f2c66207eb9e601d547f080858da66
SHA256d923708674e9ea58024997745047f6613c80f1c03003b6e6304b80b3e57dfeff
SHA512ff99bac22e234ed344c6231c69ca3caed5dcfdcb5e13c2ceaa3bd499e7168817643bd9ebbed6662039d73c03779de19f1e6231e08697259dc674f199d102da68
-
Filesize
1.9MB
MD5342df85aa81aa82ef2875364b6f999e0
SHA178ecb246b2e99279a32d0cdc4682493828dcae1a
SHA256b301267f75c00647520a3f025fefd4fdda4ce4e0c483c923f58a095184241f5f
SHA5128e1b9ebe17fb988da47162327a57436ccc3a9020da396317ddcceaa212567d3cf0c1709e9d4062fd49513977f9e5a6b4bf536c8ba90bba4b20fdbc94a76c5385
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
689KB
MD514db4253fd181e84e26eebc8f4150402
SHA179e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA25665cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA5129939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e
-
Filesize
576KB
MD5ca4955a8a8b691465262d3076c87bc47
SHA1544e7330f0b7b9bdc9cb1da3ced383b184856eaf
SHA25671bafa73d6ed53e0f61a65ea63a9f82165e368649fefb884e316fcaf43ae030e
SHA512e28456526a3f682e96cdbdfe66e26cd76acf9257d9cd8b0056e331afc5b6f585ad140bb4544e13e703f3ee2d53dd930cfaf3ac80123bcaf461be4e467a201833
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
246KB
MD5c7f4dfe314dd61bc9ff56fdffe58bc58
SHA192149a4cc12b6e284f672897408ed7fe2c08cd39
SHA2563eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA51209f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5654e2acf81a36a91149844b610506f89
SHA1d4ecca0d9acbfcf46bc9a575a5b54d9f3e4f3e8f
SHA25684ed5601c88d32e00b02422a0e7ab5d24d392b56933b39249160c50b5f5903e3
SHA512d96547ca2d789075d51d341e8ea55878c269b822006ccf1631a244622b37d1d1c5887c3fe27a00e7bb89e333625c5fdcba149c0127e577aeda06eb20d0e5319e