Analysis
-
max time kernel
300s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 22:36
Static task
static1
Behavioral task
behavioral1
Sample
1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe
Resource
win10-20240404-en
General
-
Target
1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe
-
Size
700KB
-
MD5
b738131a6a14ac7019a8704718cdbaed
-
SHA1
86f3a2f6115bbadfef82238fe425426bc634d0e1
-
SHA256
1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131
-
SHA512
87cedf06c6ecae24cc74924efd489eaa9e94413af54e605cda9f7601e03fa65fcfbd93f9a6ae77684903db2e5056884f145f960d6590f0b6ea15923cacab43d5
-
SSDEEP
12288:1Mwh9coeIVMKnKUwR2s8pw8OOHdTfuAhCBstRLQ+b3qNppZK6dZCetm8i:1Mwh9FNKPn8pw4LuA++QeIjZMX
Malware Config
Extracted
smokeloader
2022
http://cellc.org/tmp/index.php
http://h-c-v.ru/tmp/index.php
http://icebrasilpr.com/tmp/index.php
http://piratia-life.ru/tmp/index.php
http://piratia.su/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Hanging.pifdescription pid process target process PID 3020 created 1368 3020 Hanging.pif Explorer.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
Hanging.pifHanging.pifEC14.exegdbgbtapid process 3020 Hanging.pif 2104 Hanging.pif 1536 EC14.exe 2736 gdbgbta -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 3068 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Hanging.pifdescription pid process target process PID 3020 set thread context of 2104 3020 Hanging.pif Hanging.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Hanging.pifdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Hanging.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Hanging.pif Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Hanging.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2632 tasklist.exe 2672 tasklist.exe -
Modifies registry class 20 IoCs
Processes:
gdbgbtadescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU gdbgbta Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" gdbgbta Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg gdbgbta Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" gdbgbta Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 gdbgbta Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots gdbgbta Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 gdbgbta Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 gdbgbta Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 gdbgbta Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings gdbgbta Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff gdbgbta Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags gdbgbta Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" gdbgbta Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 gdbgbta Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff gdbgbta Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" gdbgbta Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell gdbgbta Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 gdbgbta Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff gdbgbta Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff gdbgbta -
Processes:
Hanging.pifdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 Hanging.pif Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C Hanging.pif Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 Hanging.pif -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Hanging.pifHanging.pifExplorer.EXEpid process 3020 Hanging.pif 3020 Hanging.pif 3020 Hanging.pif 3020 Hanging.pif 2104 Hanging.pif 2104 Hanging.pif 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE 1368 Explorer.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Hanging.pifpid process 2104 Hanging.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tasklist.exetasklist.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2632 tasklist.exe Token: SeDebugPrivilege 2672 tasklist.exe Token: SeShutdownPrivilege 1368 Explorer.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Hanging.pifpid process 3020 Hanging.pif 3020 Hanging.pif 3020 Hanging.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Hanging.pifpid process 3020 Hanging.pif 3020 Hanging.pif 3020 Hanging.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gdbgbtapid process 2736 gdbgbta -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.execmd.exeHanging.pifExplorer.EXEtaskeng.exedescription pid process target process PID 3048 wrote to memory of 3068 3048 1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe cmd.exe PID 3048 wrote to memory of 3068 3048 1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe cmd.exe PID 3048 wrote to memory of 3068 3048 1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe cmd.exe PID 3048 wrote to memory of 3068 3048 1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe cmd.exe PID 3068 wrote to memory of 2632 3068 cmd.exe tasklist.exe PID 3068 wrote to memory of 2632 3068 cmd.exe tasklist.exe PID 3068 wrote to memory of 2632 3068 cmd.exe tasklist.exe PID 3068 wrote to memory of 2632 3068 cmd.exe tasklist.exe PID 3068 wrote to memory of 2636 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2636 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2636 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2636 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2672 3068 cmd.exe tasklist.exe PID 3068 wrote to memory of 2672 3068 cmd.exe tasklist.exe PID 3068 wrote to memory of 2672 3068 cmd.exe tasklist.exe PID 3068 wrote to memory of 2672 3068 cmd.exe tasklist.exe PID 3068 wrote to memory of 2928 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2928 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2928 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2928 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2136 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 2136 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 2136 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 2136 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 2748 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2748 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2748 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2748 3068 cmd.exe findstr.exe PID 3068 wrote to memory of 2848 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 2848 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 2848 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 2848 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 3020 3068 cmd.exe Hanging.pif PID 3068 wrote to memory of 3020 3068 cmd.exe Hanging.pif PID 3068 wrote to memory of 3020 3068 cmd.exe Hanging.pif PID 3068 wrote to memory of 3020 3068 cmd.exe Hanging.pif PID 3068 wrote to memory of 2388 3068 cmd.exe PING.EXE PID 3068 wrote to memory of 2388 3068 cmd.exe PING.EXE PID 3068 wrote to memory of 2388 3068 cmd.exe PING.EXE PID 3068 wrote to memory of 2388 3068 cmd.exe PING.EXE PID 3020 wrote to memory of 2104 3020 Hanging.pif Hanging.pif PID 3020 wrote to memory of 2104 3020 Hanging.pif Hanging.pif PID 3020 wrote to memory of 2104 3020 Hanging.pif Hanging.pif PID 3020 wrote to memory of 2104 3020 Hanging.pif Hanging.pif PID 3020 wrote to memory of 2104 3020 Hanging.pif Hanging.pif PID 3020 wrote to memory of 2104 3020 Hanging.pif Hanging.pif PID 1368 wrote to memory of 1536 1368 Explorer.EXE EC14.exe PID 1368 wrote to memory of 1536 1368 Explorer.EXE EC14.exe PID 1368 wrote to memory of 1536 1368 Explorer.EXE EC14.exe PID 1368 wrote to memory of 1536 1368 Explorer.EXE EC14.exe PID 2636 wrote to memory of 2736 2636 taskeng.exe gdbgbta PID 2636 wrote to memory of 2736 2636 taskeng.exe gdbgbta PID 2636 wrote to memory of 2736 2636 taskeng.exe gdbgbta PID 2636 wrote to memory of 2736 2636 taskeng.exe gdbgbta -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe"C:\Users\Admin\AppData\Local\Temp\1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Categories Categories.cmd & Categories.cmd & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:2636
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2928
-
C:\Windows\SysWOW64\cmd.execmd /c md 44443444⤵PID:2136
-
C:\Windows\SysWOW64\findstr.exefindstr /V "QueryOurselvesAttitudesGoat" Season4⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Trigger + Edge + Televisions 4444344\f4⤵PID:2848
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4444344\Hanging.pif4444344\Hanging.pif 4444344\f4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2388 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4444344\Hanging.pif"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4444344\Hanging.pif"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\EC14.exeC:\Users\Admin\AppData\Local\Temp\EC14.exe2⤵
- Executes dropped EXE
PID:1536
-
C:\Windows\system32\taskeng.exetaskeng.exe {2262B0C5-0A96-4166-A1CC-8D0787032B5F} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\gdbgbtaC:\Users\Admin\AppData\Roaming\gdbgbta2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
201KB
MD5935eb1a038484408f7f68cad20a94d9a
SHA12cbf856c1c05c1aff2c249528f9b7ba475aabc2b
SHA2566ab430f14af053ee036b46626925664c3b768fe74fbceebe7d053f6ff7a535ec
SHA512000cf18ed0ad146da482da3f5dc17c588a50c6e5237a8882fd1c856e61a4b446b483721ae8d18b9f5fc3916f9a6123f70d7bfde1e928514997e47ea46421ff4c
-
Filesize
37KB
MD5b5a1f4c17d6543237315a443d8799084
SHA11407a29fa1be9de25946ad512633deca060d5c69
SHA25606f750979faf32db09ef09894493321e95b75b33a8cdc206acd631a7fe72ad39
SHA512fa515183006e85c991ee74b8f3e0d1e63d656e9a83950ef2094fe1239659d58a395fbc1516b9dbae1e960afaff090e120cc4ba1598e976c55308eae718f2bfd4
-
Filesize
36KB
MD59359b4017f3ef02bd35d1c4df15b0981
SHA17eda82c2e9e68abd4963b80f64492cfd55d50a8a
SHA256c0e3f798d5b7f8302f3801053b9e1551167f13aad626dcd539eb62b62087e770
SHA51204756efc72120e6b90ade62ceb80ebe3df31f55f8782eecaaae7308e55e146dc5896f575f14f83a1904069c46df684acfa18cc873e330deb28c02d560436624b
-
Filesize
25KB
MD5ad9e395823c2c94525ec683ca84ce968
SHA1337e7270da357c7e76a694f02955e1b61e861f97
SHA256e6908b85ceb0ce72b8352dff6edb86a6bd6c505926034525680071809f564654
SHA512b546b77c67f095b27e6d37674d66c0aaac073b6e3a287f02d8ac0b609cb487bafdecf06333dba62b787e2434694be154061adc47bdd20deeaed48b6d0576ac2a
-
Filesize
30KB
MD55e7d59c5f56be3980bc5f8580ab6d4b6
SHA1cf49be708f38cca7501207f3b1ccd968b5bf93bf
SHA256ec6ef1cbc42de3f0e1c10eb2ca5343da2f59429106afd7780b0bd70a4292bb43
SHA512cd1d8dc8b3167bfcf87e02617450b7b4ae92e6f56b99d00f3af40adf09c196e9069def27efb9b4f0fa44cca3c9fe74be4e99a375046aba34a64600c8048756ea
-
Filesize
24KB
MD5d3ff4dba1500b06c7503d4b1eff23fab
SHA1eb102d0777cfb3d16b280f19d16d294372da8497
SHA25654a476ab611e19a36152fb2eaf1e63565ec0e9308f317d76d022e755f909a08a
SHA5128ab3cc3d0a6b3a28e768d04d5d274796d781655da197cb1142597578648b6d8013169236ae5e7a5bfd6855e120f13380df028f04b1c76b92972092fe27f2be38
-
Filesize
23KB
MD5288eadf0b6383df06f00271d8a853ec3
SHA1664a14b0b7f153b758f4557aad7a6792101ae59c
SHA2568286c835ed651fed0335bbb02706a5eb19d119396778d0c8477d30fcc448dc61
SHA512b6870de091f5a59ac2cc92d48eba289790602a83b38522ccbabb3760f1d7ee480428eec8db6757d22d4838f46e2a0bad9121dd57b33da0ec3e7133d20b36f8ab
-
Filesize
25KB
MD55f29e6a065f350bb94e425908719ee4d
SHA17bbbfd0d06ddcd440a446b1f37d8f409e5c6507a
SHA25606736ed3774c4fcaa06f2c9bdc3e564c548157740de5761ade036e1c4f287ece
SHA5123cc153b308cffe7d1898ce09ca32192a925652bd0bb15228d7af916136bda8d560659ae726ea76a8d14012d9f6c7cf4dfd77d5a710ccc862a3b3d691959633bb
-
Filesize
20KB
MD56c1d4bbff0766fd273e86822f0d8ee4b
SHA1dada619c4429ce7e8f76ff3ec0ad1bff68c6741f
SHA256eef0f04d72568acb580056e245cf85c285264975f7d4f2145b7b9574c5579f9a
SHA512dbb7692383ed0ff03bd236167757821ea5a63deba2ccc3b4c0de7874795dba1c13b880616ef9a48ac791a903e4e55779e451bd75b3187681eb33215de9211e98
-
Filesize
10KB
MD514cb1d9586c4f910f82346038f9cc284
SHA14d97a2bb2dd530ea68f03af6e942d8b664a109b4
SHA256479e7dc496e163fd5a7d2f009e0336eebadf5d1cbd8d8a1f30a58033e33c5b05
SHA5122b2894d8abfee960c508467e638a03d4d72f2cbf9448320b65e08e2a9c21c42aba12414570af5ef8ab9f364a9cb119d6107d847d5e824acd22a0d54e05850469
-
Filesize
46KB
MD51c5aeec565ae9e5cb628d7ea60865416
SHA1bab11fc29b3394331c3dcd777dad97783bb08249
SHA256eac23650d93e5a9bb1ff1a530528c6d0d9fc560dc43b6da53fc43d72a05a75c0
SHA5129a417d95b1895a0971c5f576bf7eafe45760cc692f33955c91129cf7eb217fa37f294b12245a8a406327eae4cdeaa29b71a34b13b814fe761f00657db31e11cf
-
Filesize
55KB
MD527248140f87895a77ca94dcd20b8e60f
SHA1af849f70516be2cf67c77f3cb72afb00af0f2a2a
SHA2569f1288aaf43de4dc62207a14a607f2fa2f564865acb18151b26d22c8632f864c
SHA5126139331146a889f708d8e3fbc8559538c7b4af7f96a696eacd9b003b9817191e60b715e122cbc28092147fe36d86339f8c87851758de38d137dc152462e34ef9
-
Filesize
118KB
MD5e02980e36bc45d1c45af3efee86587b2
SHA18d6108234e04b0ac1f229fba0e7bd1d2e81e9584
SHA256574f57903cbd192a4e107cfd94d2984769af871aeb3d332c9f68cb9113d25098
SHA5125d629927ad54a69e967b19d810bdd9a4792b6ca559808008804cce55ff942e59f26a8b33a645cd966d079fbd57b145c2372808e91621b1fc6a93d64018613851
-
Filesize
29KB
MD5f15a9affaefc52361e7c9c07edf40435
SHA15fa6bf5e899db93822d52f66ada5c0b3809786e6
SHA2564db40994e1cd85d6964ee26e5c2bff93846b9595732afe4511fcc808cac3abd9
SHA512c7855b1b187bf435e60605cb0123a4d35465aad679be1bfb29bdef611ba71d7d00ec76142ada263857a32d56da3b037b01676e1baa11fb3b7f515fa8670f3bd7
-
Filesize
51KB
MD5828c6bf93efdc8dda0126a5fe9aaeb47
SHA1e2ee60250b27cce4797ac9833d46b60225d21c98
SHA2567c9ed859b956c751ad3ff022bd747719c5b7adbf629484ce59891fe7c3a4afed
SHA5121bc7cfac222f1014669877cba45f82a3da550dbf34aa47f4c5e9df90037c5a627bd486f0be2ce9d56df8bf6ac1e720a5c6c5f39daa5e9f07af86abee1bb17f3b
-
Filesize
24KB
MD532403977f4d81a1c08b0415fe53b7b42
SHA105306989a8b1408e877a096263e981adf3b84327
SHA256856f29572349b7c9836e3fdfb92ba9037ada3608f4e75d14eecc803fb68b1fa9
SHA512dae239cc966051a6b48f1cc4461abf47df7cd8b2df00190c625c01336917705950478b7c0a04158b3dd76e82f64b693be2299e81391db6c2d59e2441e0009f25
-
Filesize
59KB
MD5297ca788f4ac4c674261b56cac44b36d
SHA101b271452c7f425ab2e0e08e4db7b7085b33efb5
SHA256c1569f49e9fda9a642e24220816964c9eada736cd5e483631758e28c0e0c66e4
SHA5120d9d36e0e24d977b0e314e2d5913dfa92f40e2479ef43ab4f0a3568eb7dce5e97b19b1f51e613569fde6f22d1721477383a4216f378bcb9f8d46c5379e540a91
-
Filesize
32KB
MD5248863d100063bedcd3a558afb0385a9
SHA1d670098c5c3be835b297665fdbfeda90f1dc2339
SHA25623928c202a5c807bf5638d3f49819a2e7cc0206fedbeff14c0d49ee45cdf9f18
SHA512aabf660ac2503ea9b44583b1bc5908b10c281c664dfa2aefa86aa3352829e36ec9c5bc3d84a9c081f3fa92d1735f8b6d535c3f088a5da8f0a5002e6d18098415
-
Filesize
14KB
MD552b85c060af7e56bd01a38a39bca2bc0
SHA1966641a7ffa8eba685737ef69282dd3726a8eb05
SHA25684530ea0066dd6fd6a7609b7baeb696dd329ba31e7a1c575fb4bf425f2fe939a
SHA51290d6ceeaed4949946f278f9b2bf1acf62acb3066894a8ac7d78355e593d493d7b787fd2e1600db5cb8200c6b7aa5c8896792f15af295401a0139f8fa63d805e0
-
Filesize
57KB
MD593b558e029b12ad0c92eb6df28748497
SHA185d52bfda6dcac950aba75fa4c1362aeead0bc2f
SHA256c99f1ae796bde3033cbccaaac99e2a00a773aa0957022c0f332d8fe87547e94c
SHA512dc64f893d6caf82d1eee98e10672e9e8e4463518eab08b13050ff9513f214c5f9b2323142731ce99d08cde328ddd651e8261defdb4c8c622e6517b131284bf32
-
Filesize
20KB
MD5be8128c7fd1750619fc322d94c2fa02a
SHA148b98e45ef963f9ce12323245d1deec5396acae2
SHA256cbcb79dc4d33b5a24738feb012284cc83875286006e48d611726a4109faf7410
SHA512ff79915b5e45be4ac0649906a2a09a7cbaa906e343e9c12a5b5d888868887388762a15f9ab0594cf9a55f0660e179d34f19d69463321af26c99fe40ba064dfff
-
Filesize
44KB
MD5eabeaa44b44e91099e6fd35154a53993
SHA1aab289f29e711143eccd616291a93ebe4787eb5f
SHA2567fda37d3467a34ebdff27dc88ae81731c96619dc501d030411555ba469f0336e
SHA5120774c6a5ba04490a42bf1161ccc461d722e41be6cb6ac4b21538ce215357e81a66a67a28fce9e6140d971628f85c60cbfbd926fed55a43eb634a2ec197289ac8
-
Filesize
11KB
MD522184190aba298bdcf0664544daf6aa8
SHA105d4e8d201a14bd8825dddab37eda2e81b98a7c3
SHA2567f1ba9d956b6b536d442a724e47ed2fe1b72f2a48e7c3156075afa5a8e0ec97c
SHA512416ed95bc99d6c5dc1f900d9382fbc8fb5cbc7753710986106b5582125dc256ac249031653147ba120e398af55bd11ae94fb656a7c0a1be336eabb9766979268
-
Filesize
38KB
MD5d1620b3acb0622788784b1a1f43183ba
SHA160090d907b250d720b52e0831f670cd4de78b6a9
SHA25636ad07225af15018f3b01cf134bbbe0b1829de1d7b0dd18ed0ab4752de685f9e
SHA5123bd420cc5d7382a381ff7394e8be0cef655ec2bf7ce2f20fac01db2f4399907f0cc5b78cf64a7aab9f3aba07c34d9de132023957eaa566c8bb9c7656c283ed8d
-
Filesize
68KB
MD5b1d6e7b89932da1e859984a1a7d02cfd
SHA11f953664c0f466fe5527a52f4f66186472bbbf72
SHA256273697d61d8bbf8ce381d6c9b383f6861f60b3302cd784d9c305c4c0d3b763b0
SHA512493067825c46fe75e2da7b38cd095d0d61bf137ebed3bdbc67b8e50b2ec9ed84235b5c491dd7f80da01bda3c5497dd2662078ea78e7411c4b906b585aa430489
-
Filesize
40KB
MD57daba92609dcc10f0240fd9738f3be65
SHA1750f12b9c4ec707447ae3a06da9b491ecd21a7c7
SHA256b0c78e1c3df701c9e3002d7d2c3f3f45f9774e7585f08b175c13d707d1acd28e
SHA5125ee51ec2a2fc9669ab226a09ac69a9dc608eb6353da0356519f029265c48917b6cbf5748a2478df636053cee25113cfae629afecd9e7f758d0c24aa7ab304ca7
-
Filesize
107B
MD514afac6b157875bcaeaebd3dfcb87592
SHA16b83d63377b3279505673b20dfbf487f88d8c5e2
SHA25650e4da641becd62da258d6a1a7310fe26318859c9258b52b33c3a3062dde1ad1
SHA5128ff7924081936ee752acffefcf509804f5727bb5d5d3d0205951297d81ce55a5779c714837cad218567a7036fa47ac959b6d538726aca53ca3aca5d62fccd623
-
Filesize
55KB
MD5880e6a03bcbd6ec108b2f6d228e64f7b
SHA14445f3253f19f90a61b05f5c76320990331c52cc
SHA2567ea64d58aaec176366c5e988335a5e0e5a8d2dc6e8186b8320d819a84e01dc4a
SHA512ed8c341d0198d8a778eedf1f112b36b4ebdfc053288f791d65d943aee8ec33021442e4b80eb9c205d770dc44b5b57cb2241c17567e3627fd902c6a5fdfc7c03c
-
Filesize
3KB
MD58967363edcdb1d05e9450c6c76f37498
SHA107d1220108b23693ce4ea875fd5ecbd581c4bfa4
SHA2566b0b47126b31d74f28dbfb8a2c32e84d000294b113f3af658e2061ab57e9d54b
SHA5128ebb5da46d8ccf04ddd0124b619a18d2bc7c953fa8032d2231cb2ea0984a00e06beb6c4591f4d4e3187eae1baaa220a8e1491cfef39dddb8686102d7d0fccc83
-
Filesize
80KB
MD5830a8afcf02e1593472271162e8ba4ab
SHA13f7ce9b18c9a09f04ee15f119f0d96c7147a4f31
SHA2567ae6621365a796eca0bed1427b18729c89e4717faca2ad8ac65218b80becd147
SHA512f0f8f62f50d1e614d1a5030be0f7b539540e784fb84ea56699baf3e20ac495e3f25d76609b8d70c7e0fe5ede41ac217048f760545f63c6207a678a00185d67a6
-
Filesize
43KB
MD553ff744a07ce2927f28da734f6b379be
SHA1321671e15996baeb57963030f3854a815c270a7b
SHA25607655bda823f497afb933e5ebd240182c881d1877733a56e3b852b7bb87dc07d
SHA512c45e80a2edce2bdee37022dd55ffd41615c8bbadea741554b66bed29f0dcde58a1cad910b82ed25dbc986b877fa6dddd8ee29849e7fa5d02a20433c5c7851960
-
Filesize
34KB
MD55395e814bcd89c4e7079528264ae1163
SHA1dd8ffb9d0b30a67decb8f2584e61791070a86b63
SHA256bca8c70e8bac30e9c1c01b9fbf0b4ad13bb74548c4136b4eae5ea13ddc65159a
SHA51296516d711fd4f41a81aabc736d2879f49321e26a5bf1919e3bc07b353767dc245d7e999b0cc9ed634704e9019ea226ed3f3d4eebe4f3ca8833551b019d6ce0a5
-
Filesize
311KB
MD5bd4fecd7009225a2618b2a47d9bcf6e5
SHA1e63e0638e75840a70d83073aa5ca54e8465ab1a3
SHA2564bd5755f9f0f468a1f8996b8bc3b916ea5e5b83a802240617b39cd392021c669
SHA512afe89ea4e1915c2cf60231392435b4ffd30b93d227e66fb141b527b0ea1c9d3437ad116e316010e3a5e036c532973a2f33422cc7f40629ae45f599fb89af6ee0
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f