Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 13:18
Static task
static1
Behavioral task
behavioral1
Sample
dbb8a830f9288e1a268901c7867b3536.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dbb8a830f9288e1a268901c7867b3536.exe
Resource
win10v2004-20240226-en
General
-
Target
dbb8a830f9288e1a268901c7867b3536.exe
-
Size
14.2MB
-
MD5
dbb8a830f9288e1a268901c7867b3536
-
SHA1
18052820e7221bb5cd44898665fb2bafa7189b4b
-
SHA256
bab1c0bac0b402b44d52b9b1be9f102995db318bcd1fa07f507ccbe8d3785bef
-
SHA512
154990cb81585ba14ee553ce2d490e55b7a82645b0bbf0e6369589353bd8e39e726e27925e31238f1eea85d17b7abcbb3b423450dfc87cb3c97569b9303c3bc6
-
SSDEEP
12288:9Tvdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd6:5q
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\lsacmslsa.exe" dbb8a830f9288e1a268901c7867b3536.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" dbb8a830f9288e1a268901c7867b3536.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = "C:\\Windows\\system32\\dhcpdisppool.exe" dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" dbb8a830f9288e1a268901c7867b3536.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" dbb8a830f9288e1a268901c7867b3536.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" dbb8a830f9288e1a268901c7867b3536.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\lsacmslsa.exe" dbb8a830f9288e1a268901c7867b3536.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" dbb8a830f9288e1a268901c7867b3536.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" dbb8a830f9288e1a268901c7867b3536.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\poolpdbpptp.exe dbb8a830f9288e1a268901c7867b3536.exe File opened for modification C:\Windows\SysWOW64\dhcpdisppool.exe dbb8a830f9288e1a268901c7867b3536.exe File created C:\Windows\SysWOW64\raspdbip.exe dbb8a830f9288e1a268901c7867b3536.exe File opened for modification C:\Windows\SysWOW64\raspdbip.exe dbb8a830f9288e1a268901c7867b3536.exe File opened for modification C:\Windows\SysWOW64\lsacmslsa.exe dbb8a830f9288e1a268901c7867b3536.exe File created C:\Windows\SysWOW64\poolpdbpptp.exe dbb8a830f9288e1a268901c7867b3536.exe File created C:\Windows\SysWOW64\lsacmslsa.exe dbb8a830f9288e1a268901c7867b3536.exe File created C:\Windows\SysWOW64\procinfoip.ocx dbb8a830f9288e1a268901c7867b3536.exe File opened for modification C:\Windows\SysWOW64\procinfoip.ocx dbb8a830f9288e1a268901c7867b3536.exe File created C:\Windows\SysWOW64\dhcpdisppool.exe dbb8a830f9288e1a268901c7867b3536.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ForegroundLockTimeout = "50986752" dbb8a830f9288e1a268901c7867b3536.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d4427b927bda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000001ba556bc4ceb92bde15776b5ae0a72182114bde26f8e669d65fabb72a85f6ff9000000000e80000000020000200000002a5544b09ef746b30964e9a52614f4f5af3531a15ce7d87d17d169ff6e18ebf29000000023db2b0690b6cdabd138d4580c96f99b601788e717f6b16240e864d746b1eb71133dfd480bed0daccfddfb4ff9dbd784d347885c59762e433a5b03873d1d8fac2e57f39b9ce0c35ece7b159ddd56bb1a3500dbd0f8df18575f5876be0c70fba1bcc8288da37cf10ef5191433e09ae89197e28fa475a8e005c8666397abface87ad0c26250ef3acd625bfb0fdf23807e840000000fd3e135e58b2bafd4a21915742b06ca3eb3dc229e1bd2f5688560a708130e1d15d63f151b26d0a9671fcc72f380337f1f79c094d4aacf75576a067b8a757a998 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417189038" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a960690000000002000000000010660000000100002000000036a117c194883b54c5341d3183214d956ef196bcbc05ec9bea239d533b7a10b7000000000e8000000002000020000000bc6a6e1fa93316c0190f100db296abaae46b8086b48d209d93d6e6e0acec077820000000e1ae7722b80e53a5a525f88ef1bf91f8e2d648e8639e93fb35c799dae3dceefa40000000e2fef3dac372082c002d4236fcb8012599d18a19131d8d1df23c3e45b82a08e45c91c72f0e330b13de93405797a99fa0556fe829103359b9524eebaade608f6a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A68B0F71-E785-11EE-B5E8-DE62917EBCA6} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" dbb8a830f9288e1a268901c7867b3536.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main dbb8a830f9288e1a268901c7867b3536.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\procinfoip.ocx" dbb8a830f9288e1a268901c7867b3536.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID dbb8a830f9288e1a268901c7867b3536.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID dbb8a830f9288e1a268901c7867b3536.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" dbb8a830f9288e1a268901c7867b3536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" dbb8a830f9288e1a268901c7867b3536.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 dbb8a830f9288e1a268901c7867b3536.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe 2196 dbb8a830f9288e1a268901c7867b3536.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe Token: SeBackupPrivilege 2196 dbb8a830f9288e1a268901c7867b3536.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2712 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2712 iexplore.exe 2712 iexplore.exe 2920 IEXPLORE.EXE 2920 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2920 2712 iexplore.exe 30 PID 2712 wrote to memory of 2920 2712 iexplore.exe 30 PID 2712 wrote to memory of 2920 2712 iexplore.exe 30 PID 2712 wrote to memory of 2920 2712 iexplore.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe"C:\Users\Admin\AppData\Local\Temp\dbb8a830f9288e1a268901c7867b3536.exe"1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD572ee679ba76527ca0720235ffff77c53
SHA1254b15bdc167be23fb6021841d31dc6834cc6abb
SHA256f316b26d4af6da4285a65ff1d2c56908a2cfb18d7fb961be2e4afea5534a5fb5
SHA512b141cb30c016a87384af068f3dbc26400b3aba36027a31aa787345ca83b27b2508a0fcec172138cbeb98c4b0579e5c4edfeb56470a79dc473bd6f25e267ac190
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD562275b8a095040767f9ef79fe6d591e8
SHA1a8946f90dd30a3833b699a988e66ae69220def9b
SHA2560c2649355a3788797abea529f8a4a1dd74f90cb9ea439e9b79e8c88661085078
SHA5120fc867f56878218f029bcbba7c32b85afcb649a5b0d5b8b6d4be77410ff8a08088aebc51c4c275d478bbb5e8f1a46a314b17781a4a88dddc567bd68b740b8624
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e355651912979f2d24d8935ee11c414b
SHA11f6c5c53369feba7416a2b5b5552ddd5f42cfe06
SHA2566f47c37941b25c41675894d67e8cff918dcd41bbdffa20d54b040624e590314c
SHA51254982aec39f8775d7abf08d3c5faa4f59e809fdcf74584154aac80a8c8b9a9d1ce1660a3ad6a16313ed2f34010bd84062747c22124d5e745b31b4316aa86bf52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52fbcec192cadd6d54d5b80bef1271986
SHA1706516093e6b143388d8499cc97c6deb506a5280
SHA2563c94f9393cb0c9c667e720600c4d17087b55dae5db8c0d9368b0779544f79210
SHA51222818d2516dd50e7e4f3283a85646adce6a16ff20f7f3e8f306a7318ba7edba3e88d014ff1b834ec505acae2e55e0cf2f1920227a184ffdc071c24739c94ba8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52fbe1b1da3f171fd24a18443a40ef21b
SHA1b1adb2aaff0b6ec46f80ef3f98ecfa189cf2c792
SHA25667f892932ae368aed88e6b056213c56a97198efe3f9ef0110b3ec91b47ac8250
SHA5122c9bc9e768e2471fe16800e1390a886711c68961ace58088aebc0200135a0e3538aa6f16345ee53f8fcdf6737079d89deb7a6ddf3a931ee3de9b5564a33421af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD573ca81ffbeb9bcaadae68bbd0af78f53
SHA14312fb09b152955bc642696779df7e8282eca02f
SHA256aa9317c8b863d7d36158fe1adfe309b43eec5bc7982970829f96633d57076930
SHA5129f3342d9876e91dfa55aa54c84f50909b4ff18f25587119cf47adbb0f5e89efa2542ca60af4aef6b365b8e6259470627644f82c32b7c29581f0d27ccb1efaed0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD579f4f9daf13fa7634e0752b306ba9be1
SHA1748306acdbbef52dd33eeaf2fc784195973de078
SHA25647711196b13e92ef5113e8ab93212258d38c3e93f0be5f4f13babf1c7cc65c22
SHA512c2a76ec212fb9d646930e00ed33582065ee6117d77f6faf84eeba0441338cb7bd17804f132a75b937daef671a40a064ce3518d329a6464b4f06075dd21ac4a2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50bddc71be663b508ed423cf91f748583
SHA1d43d18c4aa087fbe2bd7f1f227dc95118f5faa19
SHA2568d9e6ebe205c701e91884d8d816db7f0aed0c929d82c771f8f81c1e1d53c95d7
SHA51220fd9ed525ff022626d4245b7346eb981d14ffae1cb5134121c2381902efb09a3e56422377161dfc82fdb18f4d7a2a08e825d01bff973df5276fad10b309866a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50596c83010524a4205b80cf4080ac5d5
SHA1ee92bc69a45e8fb03d6f807d227e8139179eb1c3
SHA256bce268c71b407115130471d206f737d24b889eb25fe601891e851c2aa2c3b41d
SHA51216470e42ccf76ffaea0344c759230bccec1d79b95ef7685ca8b8898e5a4eea71e0dd7c8686f8fd1e8b4cf3a391f0db8023303b53d73d400423e73f12967c00b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD556a75a99ceac194b7beb5fba7f674c66
SHA185a6eb91c5e9ad40eab8585a5f5666e295a8d6d0
SHA25643d93f322648a9d0c82829470dfd24eacaed3bed1105af69fa99d1c633f69957
SHA51243665c3aa2169c64939361c43ecf41acc8d8423250bddde51fa24f29db6645064ad8e7e71fcdaea61b569b9949799a0c3a0040420acca1096d960b1301c92873
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59cfc7163462c52f358d1e7388e21d996
SHA1cda83310b6cd7ae12e21c5c50bd52bee71cb4b72
SHA256ff369108e29a5b4ee414e0708f82aeace5be8eaf71f0f5ca0b46526479835af0
SHA5120591c4ed4744ab13bd11453b20cde9c86d3ad6338a3817edd67f13a329636f97a8c49909ba2a8671f86b431e11a282f72c2beb3fc03efdee69f379cf79c31c9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59d7da008b3302d3f4850125a7c85cc34
SHA10516b2aa5e1e04b7b2ae8cc4fdfc884a35925609
SHA256a9eb55a026370e4a50ca968615aaf7f04fbe319ed8f0d6721c8fcf14bde44804
SHA512f27baad409fafe0655e64469638079cbd2187609e380517c2dd02302adfebc4d8be23110e2f9ac1766e6afffdd97d20e408eeed9b09224a4fd09ede62e97e486
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d58090abad8c6f07f678d7476c3cc3aa
SHA159df2bf9560d8453bc787d9bfb2556143ddb26b3
SHA256dec8fe403507d6dd7dcdb01965efa19be2f143fa51fd93153f2cd8e5ce6c7edf
SHA512b0b7497e2dfa56943b047b35a2c944d8cf3a97c092bdac2636ae41879a2a6be12e34ac5d63d4d6d0e55e065a39217010fded675664a722c4785cf71fb540fd81
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
14.4MB
MD5d2e345b3340e1404b0027f561ed8581a
SHA12ac5df8424b4726f221361702c193862dc986cff
SHA2563367db7f8c1bd6ac90e23b4017290969379725c0f46c7bc9ed248f87f67fe0f4
SHA51237b1c3e901581f88ecee45d7e3bb5f6f1769ad3f25ddc7bf6c428012ac3b8db6f08c3eb2c7ad5cc73433779c20c34ea9358bd494e58a92c3a78ca61cb19d7623
-
Filesize
4KB
MD597c92f4457dd94d678d4c9e4bdd8352f
SHA18d80f3cead2b0c5b2b80feb548131daf4d33297d
SHA256eed7377eb708d163ad0e8c50ef40d8ea8d15124832904ac1318a3fd10728ffd3
SHA512f07bc6be6a70ee28c5dddfcc036c6f3c17abc89f1240a688519c2d39a3012016b13689577dd62f2391153f837cbed5ed127568f14523ac0d6b33c516e0f51e75