Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 05:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bed708c4360606279cc888dd95e3ff6.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2bed708c4360606279cc888dd95e3ff6.exe
-
Size
446KB
-
MD5
2bed708c4360606279cc888dd95e3ff6
-
SHA1
05bbac412064f5fccbec99e5c68072889df44f2e
-
SHA256
f8ca2eea97cbd4ff2db38fe521275e2d55503e84c0a20dbdb17e560cf6895c65
-
SHA512
01511cfe4381f273323e29a0298e849c688cc069b06a03a361a4f67adc927b41bf3bd6ca5f0e3a131517335a141de4632c28331041f031695556a8b6b61f4416
-
SSDEEP
6144:/XRTE84QLG7V1sxwSEDW/d3dmfAhb/BmHdmMz9P887WbVb:vRTEwLG7+wSSqdDb/qd8z
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2092 32F2.tmp -
Loads dropped DLL 2 IoCs
pid Process 2008 2bed708c4360606279cc888dd95e3ff6.exe 2008 2bed708c4360606279cc888dd95e3ff6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\setupSNK.exe 32F2.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll 32F2.tmp File created C:\Windows\SysWOW64\InstallShield\setup.exe 32F2.tmp File created C:\Windows\SysWOW64\ir32_32.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\mfc110.dll 32F2.tmp File created C:\Windows\SysWOW64\msexch40.dll 32F2.tmp File created C:\Windows\SysWOW64\msrd2x40.dll 32F2.tmp File created C:\Windows\SysWOW64\mstext40.dll 32F2.tmp File created C:\Windows\SysWOW64\InstallShield\_isdel.exe 32F2.tmp File created C:\Windows\SysWOW64\msrepl40.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\msvcr120_clr0400.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\mfc120u.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\mfc140u.dll 32F2.tmp File created C:\Windows\SysWOW64\msxbde40.dll 32F2.tmp File created C:\Windows\SysWOW64\d3dim700.dll 32F2.tmp File created C:\Windows\SysWOW64\dplaysvr.exe 32F2.tmp File created C:\Windows\SysWOW64\explorer.exe 32F2.tmp File created C:\Windows\SysWOW64\ir50_32.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\mfc100.dll 32F2.tmp File created C:\Windows\SysWOW64\regedit.exe 32F2.tmp File created C:\Windows\SysWOW64\dpwsockx.dll 32F2.tmp File created C:\Windows\SysWOW64\mswstr10.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\VBAME.DLL 32F2.tmp File opened for modification C:\Windows\SysWOW64\concrt140.dll 32F2.tmp File created C:\Windows\SysWOW64\FXSXP32.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\mfc120.dll 32F2.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll 32F2.tmp File created C:\Windows\SysWOW64\mfc40.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\msvcr110.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\atl110.dll 32F2.tmp File created C:\Windows\SysWOW64\dplayx.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\vccorlib120.dll 32F2.tmp File created C:\Windows\SysWOW64\audiodev.dll 32F2.tmp File created C:\Windows\SysWOW64\crtdll.dll 32F2.tmp File created C:\Windows\SysWOW64\mswdat10.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\msvcr120.dll 32F2.tmp File created C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll 32F2.tmp File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll 32F2.tmp File created C:\Windows\SysWOW64\d3dim.dll 32F2.tmp File created C:\Windows\SysWOW64\msjtes40.dll 32F2.tmp File created C:\Windows\SysWOW64\sqlwoa.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\vcomp140.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\msvcr100.dll 32F2.tmp File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll 32F2.tmp File created C:\Windows\SysWOW64\d3d8.dll 32F2.tmp File created C:\Windows\SysWOW64\expsrv.dll 32F2.tmp File created C:\Windows\SysWOW64\ir41_32.ax 32F2.tmp File created C:\Windows\SysWOW64\msexcl40.dll 32F2.tmp File created C:\Windows\SysWOW64\msvbvm60.dll 32F2.tmp File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll 32F2.tmp File opened for modification C:\Windows\SysWOW64\atl100.dll 32F2.tmp File created C:\Windows\SysWOW64\d3dxof.dll 32F2.tmp File created C:\Windows\SysWOW64\dmscript.dll 32F2.tmp File created C:\Windows\SysWOW64\iac25_32.ax 32F2.tmp File created C:\Windows\SysWOW64\msvcrt20.dll 32F2.tmp File created C:\Windows\SysWOW64\sqlunirl.dll 32F2.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx32.dll 32F2.tmp File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll 32F2.tmp File created C:\Windows\SysWOW64\ivfsrc.ax 32F2.tmp File opened for modification C:\Windows\SysWOW64\mfc110u.dll 32F2.tmp File created C:\Windows\SysWOW64\msltus40.dll 32F2.tmp File created C:\Windows\SysWOW64\mspbde40.dll 32F2.tmp File created C:\Windows\SysWOW64\rdvgumd32.dll 32F2.tmp File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll 32F2.tmp -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ContactPicker.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\STSCOPY.DLL 32F2.tmp File opened for modification C:\Program Files\7-Zip\7z.sfx 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIMG.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKFSTUB.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\WTSP61MS.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONFILTER.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE 32F2.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHEVI.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONWordAddin.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\ColleagueImport.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe 32F2.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api 32F2.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLMIME.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VVIEWER.DLL 32F2.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SSGEN.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup 32F2.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSAutogen.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLPH.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolap100.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VISSHE.DLL 32F2.tmp File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnWD.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RTFHTML.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMDOS.FAE 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\TWCUTCHR.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FBIBLIO.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL 32F2.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL 32F2.tmp -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e_scecli.dll_149e0f7b 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-mssign32-dll_31bf3856ad364e35_6.1.7600.16385_none_ca0a23a23bc12926_mssign32.dll_441d133c 32F2.tmp File created C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_x86 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_9d700972113e2691_wowreg32.exe_94fc2d06 32F2.tmp File created C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\CORPerfMonExt.dll 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-riched32_31bf3856ad364e35_6.1.7601.17514_none_9f081dc1e0ddbddb_riched20.dll_fb578f95 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptnet-dll_31bf3856ad364e35_6.1.7600.16385_none_16ef973d5d294eb5_cryptnet.dll_e44c577b 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.dll_7eb7622f 32F2.tmp File created C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_gac_x86 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..ty-protectedstorage_31bf3856ad364e35_6.1.7600.16385_none_ae92b0937e708d46_pstorec.dll_b3635d22 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_39f81956d5a8018f_authz.dll_c0d80602 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-x..ificateenrollmentui_31bf3856ad364e35_6.1.7600.16385_none_2a47a0022a1c5b6c_certenrollui.dll_7114147c 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_f59e20ddece8f922_certenrollctrl.exe_9495aa75 32F2.tmp File created C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUi.dll 32F2.tmp File created C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\atiumdag.dll 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_abd5b433b8ccf7a4_cmiv2.dll_be06aa9f 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.1.7600.16385_none_04dbf9102154d42e_ddrawex.dll_2aa2f829 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi_31bf3856ad364e35_6.1.7601.17514_none_fbe11bf002f10455_shlwapi.dll_1eec0a2e 32F2.tmp File created C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itircl.dll_dafa7917 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6_dbgeng.dll_eefdd445 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d_auditpol.exe_83c870f4 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff_sdbinst.exe_8725e339 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhsetup.dll_37c1de59 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_54e0b44114fa502d_aclui.dll_ebee9df6 32F2.tmp File created C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AdoNetDiag.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.OracleClient.dll 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_5d772bc73c15dfe5_crypt32.dll_9c3ccf73 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itss.dll_f5d929eb 32F2.tmp File created C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_x86.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.Thunk.dll 32F2.tmp File created C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\atiumdva.dll 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-gdi32_31bf3856ad364e35_6.1.7601.17514_none_c1f959bd9451d7a7_gdi32.dll_1f014d57 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_0dfae70253a9fb02_authui.dll_05ff9fd2 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhctrl.ocx_38c869db 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsium.dll_edf4260f 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main_31bf3856ad364e35_6.1.7601.17514_none_e64e60ad0b1ee918_spp.dll_d7bb2b05 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_f4d7f7b17ffe522a_modemmigplugin.dll_6b9e1a82 32F2.tmp File created C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe 32F2.tmp File created C:\Windows\winsxs\amd64_nv_lh.inf_31bf3856ad364e35_6.1.7600.16385_none_4a5c7d78e486512b\nvd3dum.dll 32F2.tmp File created C:\Windows\winsxs\amd64_nv_lh.inf_31bf3856ad364e35_6.1.7600.16385_none_4a5c7d78e486512b\nvwgf2um.dll 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.1.7601.17514_none_b7e72625aff23492_winmm.dll_08d4f5e8 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-sqmapi_31bf3856ad364e35_6.1.7601.17514_none_00451cf8631056b6_sqmapi.dll_3755dd17 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.7601.17514_none_83801b5eed6392d9_gdiplus.dll_423f7010 32F2.tmp File created C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtilLib.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7_dnscacheugc.exe_aa32623e 32F2.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_6.1.7600.16385_none_d0ce59c770758425_oleacc.dll_2f3fa5bf 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.1.7601.17514_none_0f1cfdfc48bca8a8_rtutils.dll_243724ab 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounter.dll 32F2.tmp File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\sqmapi.dll 32F2.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7601.17514_none_e54fbb95e4c3d1bb_advapi32.dll_9512793c 32F2.tmp -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2092 2008 2bed708c4360606279cc888dd95e3ff6.exe 28 PID 2008 wrote to memory of 2092 2008 2bed708c4360606279cc888dd95e3ff6.exe 28 PID 2008 wrote to memory of 2092 2008 2bed708c4360606279cc888dd95e3ff6.exe 28 PID 2008 wrote to memory of 2092 2008 2bed708c4360606279cc888dd95e3ff6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bed708c4360606279cc888dd95e3ff6.exe"C:\Users\Admin\AppData\Local\Temp\2bed708c4360606279cc888dd95e3ff6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\32F2.tmpC:\Users\Admin\AppData\Local\Temp\32F2.tmp2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD5c610e7ccd6859872c585b2a85d7dc992
SHA1362b3d4b72e3add687c209c79b500b7c6a246d46
SHA25614063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041
SHA5128570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666