Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:10
Static task
static1
Behavioral task
behavioral1
Sample
e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe
Resource
win7-20240221-en
General
-
Target
e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe
-
Size
453KB
-
MD5
91222ab87d00d9ebff53a1b275760a49
-
SHA1
3870e1c16c22984f21f113794666ed6b9bb1b0dd
-
SHA256
e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59
-
SHA512
c78be464d923ada0c7ddd4385f15379122c0583b49363e51e06fffe3184da96c281cf86c68469739db88c79dd0276399e076780cc8d76ce75c995445826b4731
-
SSDEEP
6144:6LJyeGtp4QLYJ7v7LFCSBWc2GyL8yZ2VvMzAVDEHtCZ3iKGIOrEe5qn2s8:Q8eGtLL27D5VWcLm9Z2DVW4Q9EnE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
1786.tmppid process 2056 1786.tmp -
Loads dropped DLL 2 IoCs
Processes:
e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exepid process 2200 e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe 2200 e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
Processes:
1786.tmpdescription ioc process File created C:\Windows\SysWOW64\msorcl32.dll 1786.tmp File created C:\Windows\SysWOW64\mstext40.dll 1786.tmp File created C:\Windows\SysWOW64\rdvgumd32.dll 1786.tmp File created C:\Windows\SysWOW64\InstallShield\setup.exe 1786.tmp File opened for modification C:\Windows\SysWOW64\mfc120.dll 1786.tmp File created C:\Windows\SysWOW64\mfc40.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\mfc140u.dll 1786.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx32.dll 1786.tmp File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll 1786.tmp File created C:\Windows\SysWOW64\msvbvm60.dll 1786.tmp File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll 1786.tmp File created C:\Windows\SysWOW64\explorer.exe 1786.tmp File opened for modification C:\Windows\SysWOW64\mfc110u.dll 1786.tmp File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll 1786.tmp File created C:\Windows\SysWOW64\ir32_32.dll 1786.tmp File created C:\Windows\SysWOW64\msexch40.dll 1786.tmp File created C:\Windows\SysWOW64\dmscript.dll 1786.tmp File created C:\Windows\SysWOW64\mfc40u.dll 1786.tmp File created C:\Windows\SysWOW64\msjtes40.dll 1786.tmp File created C:\Windows\SysWOW64\mspbde40.dll 1786.tmp File created C:\Windows\SysWOW64\msrd3x40.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\msvcr110.dll 1786.tmp File created C:\Windows\SysWOW64\audiodev.dll 1786.tmp File created C:\Windows\SysWOW64\d3d8.dll 1786.tmp File created C:\Windows\SysWOW64\sqlwoa.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\msvcr120.dll 1786.tmp File created C:\Windows\SysWOW64\msvcrt20.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\atl110.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\msvcr100.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\VBAME.DLL 1786.tmp File opened for modification C:\Windows\SysWOW64\vccorlib120.dll 1786.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\mfc100.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\MSCOMCTL.OCX 1786.tmp File opened for modification C:\Windows\SysWOW64\mfc120u.dll 1786.tmp File created C:\Windows\SysWOW64\msltus40.dll 1786.tmp File created C:\Windows\SysWOW64\setupSNK.exe 1786.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll 1786.tmp File created C:\Windows\SysWOW64\expsrv.dll 1786.tmp File created C:\Windows\SysWOW64\FXSXP32.dll 1786.tmp File created C:\Windows\SysWOW64\d3dim700.dll 1786.tmp File created C:\Windows\SysWOW64\msxbde40.dll 1786.tmp File created C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll 1786.tmp File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll 1786.tmp File created C:\Windows\SysWOW64\InstallShield\_isdel.exe 1786.tmp File opened for modification C:\Windows\SysWOW64\atl100.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\concrt140.dll 1786.tmp File created C:\Windows\SysWOW64\msexcl40.dll 1786.tmp File created C:\Windows\SysWOW64\mswstr10.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\vcomp140.dll 1786.tmp File created C:\Windows\SysWOW64\dplaysvr.exe 1786.tmp File created C:\Windows\SysWOW64\ir41_32.ax 1786.tmp File created C:\Windows\SysWOW64\msjet40.dll 1786.tmp File created C:\Windows\SysWOW64\msjter40.dll 1786.tmp File created C:\Windows\SysWOW64\regedit.exe 1786.tmp File created C:\Windows\SysWOW64\d3dxof.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\FM20.DLL 1786.tmp File created C:\Windows\SysWOW64\odbcjt32.dll 1786.tmp File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\mfc100u.dll 1786.tmp File opened for modification C:\Windows\SysWOW64\msvcr120_clr0400.dll 1786.tmp File created C:\Windows\SysWOW64\ivfsrc.ax 1786.tmp File created C:\Windows\SysWOW64\sqlunirl.dll 1786.tmp File created C:\Windows\SysWOW64\crtdll.dll 1786.tmp -
Drops file in Program Files directory 64 IoCs
Processes:
1786.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL 1786.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll 1786.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SEQCHK10.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll 1786.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLMAPI32.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.DLL 1786.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll 1786.tmp File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKExcel.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLACCT.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\TRANSMGR.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OFFXML.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLNOTE.FAE 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKWord.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\ColleagueImport.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OMSXP32.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CORE.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONWordAddin.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\RM.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLJRNL.FAE 1786.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll 1786.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 1786.tmp File opened for modification C:\Program Files\7-Zip\7zCon.sfx 1786.tmp File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MAPISHELL.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\MSGR3ES.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmgdsrv.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\xmlrwbin.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\MSGR3FR.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ContactPicker.dll 1786.tmp File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VISSHE.DLL 1786.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe 1786.tmp File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api 1786.tmp -
Drops file in Windows directory 64 IoCs
Processes:
1786.tmpdescription ioc process File created C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll_31bf3856ad364e35_6.1.7601.17514_none_87f5c549f6656c22_cryptui.dll_af347940 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-help-storagelayer_31bf3856ad364e35_6.1.7600.16385_none_de737c19662130e7\apss.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\adfsmig.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-ndis-tdi-bindingengine_31bf3856ad364e35_6.1.7601.17514_none_401c514f83c9df99\netcfgx.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-x..ificateenrollmentui_31bf3856ad364e35_6.1.7600.16385_none_2a47a0022a1c5b6c\CertEnrollUI.dll 1786.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7_dnscacheugc.exe_aa32623e 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_6.1.7601.17514_none_b656fd566c17dc3a\mstsc.exe 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-mp3dmod_31bf3856ad364e35_6.1.7600.16385_none_ecf1800a3afff679\MP3DMOD.DLL 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_6.1.7600.16385_none_02aa6dd4294b8d5f\shutdown.exe 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-directx-dxgi_31bf3856ad364e35_7.1.7601.16492_none_2d9df37207f811b4\dxgi.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-duser_31bf3856ad364e35_6.1.7600.16385_none_5a4b046c5dce176a\duser.dll 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.1.7601.17514_none_74a0e9133d491d65\AcXtrnal.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.1.7600.16385_none_81d82fe9c216eb89\pcaui.exe 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\MigSetup.exe 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-n..n_service_migplugin_31bf3856ad364e35_6.1.7600.16385_none_5e24e56caba0b429\IasMigPlugin.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\apss.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\smiengine.dll 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_aeb1ef0f4e6bba1d\scrrun.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-directx-direct3d_31bf3856ad364e35_6.1.7600.16385_none_eb246466b6cc92e7\d3dim.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-opengl-mf_31bf3856ad364e35_6.1.7600.16385_none_cb31c38d7718c1a4\glmf32.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-tvencdec_31bf3856ad364e35_6.1.7601.17514_none_e27f805beca8b9dd\EncDec.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-directx-d3dcompiler_31bf3856ad364e35_6.1.7601.23796_none_eb8e769493af6438\D3DCompiler_47.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-directx-direct3d11_31bf3856ad364e35_7.1.7601.16492_none_e2d7c9f5b7176f4e\d3d11.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-ncdprop_31bf3856ad364e35_6.1.7600.16385_none_538c12567156d10b\NcdProp.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.1.7601.17514_none_31f571a823ea4f88\mstscax.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-wmspdmoe_31bf3856ad364e35_6.1.7600.16385_none_f9fb55c5d138e6cb\WMSPDMOE.DLL 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-authorizationmanagerui_31bf3856ad364e35_6.1.7601.17514_none_23e160885de79241\azroleui.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-deltapackageexpander_31bf3856ad364e35_6.1.7601.17514_none_6be6001a9349f456\dpx.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\apds.dll 1786.tmp File created C:\Windows\winsxs\x86_netfx-shfusion_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_2f34ae7288e22ae3\shfusion.dll 1786.tmp File created C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.urlmon.dll.01da64d00224e330.000c 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\mqmigplugin.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_7.1.7601.16492_none_8416bfe4a16d5fb1\msmpeg2vdec.dll 1786.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-ie-pdm-configuration_31bf3856ad364e35_11.2.9600.16428_none_d6876629731ce419\pdm.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_6.1.7600.16385_none_1207cf88785de24d\bcryptprimitives.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-com-dtc-oraclesupport_31bf3856ad364e35_6.1.7600.16385_none_ed468092c9bf2870\mtxoci.dll 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-qedit_31bf3856ad364e35_6.1.7601.17514_none_c3168c6e9267a403\qedit.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-msmq-installer_31bf3856ad364e35_6.1.7601.17514_none_7d190f1e5e76acbc\mqsec.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-crtdll_31bf3856ad364e35_6.1.7600.16385_none_e1ab47a4ec02b636\crtdll.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_2d3b8ff08901343f\DismHost.exe 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-m..s-components-jetvba_31bf3856ad364e35_6.1.7600.16385_none_7568a7acf374dfed\expsrv.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmpsrcwp_31bf3856ad364e35_6.1.7601.17514_none_128e8361a0855574\wmpsrcwp.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-n..rity-domain-clients_31bf3856ad364e35_6.1.7601.17514_none_1ce1e5c45077d5f2\ipsmsnap.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll 1786.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e_scecli.dll_149e0f7b 1786.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_5db4abb552efa414_ncrypt.dll_0f36c580 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_23d2258c5d920952\occache.dll 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\iisreset.exe 1786.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_puiobj.dll_343adf45 1786.tmp File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_cntrtextmig.dll_08675f2d 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-dims-autoenroll_31bf3856ad364e35_6.1.7600.16385_none_f3e60ce29c29c7d8\pautoenr.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-dui70_31bf3856ad364e35_6.1.7600.16385_none_578b05f45f6e5c68\dui70.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.7601.17514_none_190fa02cb006154d\msfeedsbs.dll 1786.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7601.17514_none_227e1c01642654f4_wer.dll_c8c67db6 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\Cnfgprts.ocx 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-pantherengine_31bf3856ad364e35_6.1.7601.17514_none_b018d97c0418d0df\wdscore.dll 1786.tmp File created C:\Windows\winsxs\Backup\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.1.7601.17514_none_f3ebb0cc8a4dd814_esent.dll_35f49bdd 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-fde_31bf3856ad364e35_6.1.7601.17514_none_aa136561b9ed4ae4\fde.dll 1786.tmp File created C:\Windows\winsxs\x86_microsoft-windows-healthcenter_31bf3856ad364e35_6.1.7601.17514_none_ad648c1ec21694b8\ActionCenter.dll 1786.tmp File created C:\Windows\winsxs\x86_netfx-mscordbc_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_414c2fe8825bd6cb\mscordbc.dll 1786.tmp File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_c1fead4e4bf85947\IMTCPROP.exe 1786.tmp File created C:\Windows\winsxs\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_04846decebf43c4c\pdhui.dll 1786.tmp -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exedescription pid process target process PID 2200 wrote to memory of 2056 2200 e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe 1786.tmp PID 2200 wrote to memory of 2056 2200 e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe 1786.tmp PID 2200 wrote to memory of 2056 2200 e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe 1786.tmp PID 2200 wrote to memory of 2056 2200 e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe 1786.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe"C:\Users\Admin\AppData\Local\Temp\e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\1786.tmpC:\Users\Admin\AppData\Local\Temp\1786.tmp2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD5c610e7ccd6859872c585b2a85d7dc992
SHA1362b3d4b72e3add687c209c79b500b7c6a246d46
SHA25614063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041
SHA5128570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666