mylobot | f2bae4d8912682525ecd787fb921c3b57d8672c44ea73eb23c0ab278cf1fb939

General

Target

f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
Size

312KB
MD5

bfef91bacc33b5424ea2a40245fd9039
SHA1

a9c60eb8dabc24b04eaf99c3c613f6d5c1a19b41
SHA256

f2bae4d8912682525ecd787fb921c3b57d8672c44ea73eb23c0ab278cf1fb939
SHA512

19de586b1ec80cabd40d78e02e7cd8f5d868c9a907433dc9b6fb16747157d4a613d17cad43e249841cb841b0838bd33cf15eb413d8510f62975ef6c0b24ff2e3
SSDEEP

6144:kn9+9wPbNTK0Q/fvzKZ62jY/776KOWu/GduR9swnApRTv+:k9RTG/fvyLj472KOv/GduzsJpRq

Score

10^/10

mylobot botnet discovery persistence

Malware Config

Extracted

Family

mylobot

C2

eakalra.ru:1281

op17.ru:6006

ad21822.ru:8742

urtuifc.ru:1692

nmernrh.ru:4163

bjbhtsc.ru:6239

jmbfgpn.ru:1344

hoebfle.ru:9593

okllxlr.ru:8335

klqzrze.ru:6999

xwstyrt.ru:8627

qgfhmmm.ru:1886

ygdgryq.ru:5843

unsyisl.ru:7365

snzglco.ru:3268

fchbwme.ru:7533

iqaagar.ru:2919

flkpuod.ru:5796

zuenhrs.ru:9439

lqejyjg.ru:4627

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3968 svchost.exe
Executes dropped EXE 2 IoCs

Processes:

d7a8d09d.exed7a8d09d.exe

pid process

2432 d7a8d09d.exe
2892 d7a8d09d.exe

pid	process
3968	svchost.exe

pid	process
2432	d7a8d09d.exe
2892	d7a8d09d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{E6072832-284F-837E-B7D4-CD811475628E} = "c:\\programdata\\{7a170002-007f-1f6e-b7d4-cd811475628e}\\d7a8d09d.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{E6072832-284F-837E-B7D4-CD811475628E} = "c:\\programdata\\{7A170002-007F-1F6E-B7D4-CD811475628E}\\d7a8d09d.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f7ba9baf-82b3-546b-222c-2f2551e2f1da.exed7a8d09d.exe

description	pid	process	target process
PID 3052 set thread context of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 2432 set thread context of 2892	2432	d7a8d09d.exe	d7a8d09d.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exef7ba9baf-82b3-546b-222c-2f2551e2f1da.exef7ba9baf-82b3-546b-222c-2f2551e2f1da.exesvchost.exenotepad.exed7a8d09d.exed7a8d09d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7a8d09d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7a8d09d.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d7a8d09d.exef7ba9baf-82b3-546b-222c-2f2551e2f1da.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	d7a8d09d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	d7a8d09d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 6 IoCs

Processes:

svchost.exetaskmgr.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{7A170001-007C-1F6E-B7D4-CD811475628E}\ = "1725505760"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{203227FF-2782-454B-B7D4-CD811475628E}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{7A170001-007C-1F6E-B7D4-CD811475628E}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{203227FF-2782-454B-B7D4-CD811475628E}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{7A170001-007C-1F6E-B7D4-CD811475628E}	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f7ba9baf-82b3-546b-222c-2f2551e2f1da.exesvchost.exetaskmgr.exetaskmgr.exed7a8d09d.exesvchost.exe

pid	process
3624	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
3624	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2892	d7a8d09d.exe
2892	d7a8d09d.exe
1992	svchost.exe
1992	svchost.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2360 taskmgr.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

f7ba9baf-82b3-546b-222c-2f2551e2f1da.exed7a8d09d.exe

pid process

3624 f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
2892 d7a8d09d.exe

pid	process
2360	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

taskmgr.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1756	taskmgr.exe
Token: SeSystemProfilePrivilege	1756	taskmgr.exe
Token: SeCreateGlobalPrivilege	1756	taskmgr.exe
Token: 33	1756	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1756	taskmgr.exe
Token: SeDebugPrivilege	2360	taskmgr.exe
Token: SeSystemProfilePrivilege	2360	taskmgr.exe
Token: SeCreateGlobalPrivilege	2360	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe
2360	taskmgr.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

f7ba9baf-82b3-546b-222c-2f2551e2f1da.exef7ba9baf-82b3-546b-222c-2f2551e2f1da.exesvchost.exenotepad.exed7a8d09d.exed7a8d09d.exesvchost.exe

description	pid	process	target process
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3052 wrote to memory of 3624	3052	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3624 wrote to memory of 3968	3624	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	svchost.exe
PID 3624 wrote to memory of 3968	3624	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	svchost.exe
PID 3624 wrote to memory of 3968	3624	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	svchost.exe
PID 3624 wrote to memory of 3968	3624	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe	svchost.exe
PID 3968 wrote to memory of 3052	3968	svchost.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3968 wrote to memory of 3052	3968	svchost.exe	f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
PID 3968 wrote to memory of 1488	3968	svchost.exe	notepad.exe
PID 3968 wrote to memory of 1488	3968	svchost.exe	notepad.exe
PID 3968 wrote to memory of 1488	3968	svchost.exe	notepad.exe
PID 3968 wrote to memory of 1488	3968	svchost.exe	notepad.exe
PID 3968 wrote to memory of 1488	3968	svchost.exe	notepad.exe
PID 1488 wrote to memory of 2432	1488	notepad.exe	d7a8d09d.exe
PID 1488 wrote to memory of 2432	1488	notepad.exe	d7a8d09d.exe
PID 1488 wrote to memory of 2432	1488	notepad.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2432 wrote to memory of 2892	2432	d7a8d09d.exe	d7a8d09d.exe
PID 2892 wrote to memory of 1992	2892	d7a8d09d.exe	svchost.exe
PID 2892 wrote to memory of 1992	2892	d7a8d09d.exe	svchost.exe
PID 2892 wrote to memory of 1992	2892	d7a8d09d.exe	svchost.exe
PID 2892 wrote to memory of 1992	2892	d7a8d09d.exe	svchost.exe
PID 1992 wrote to memory of 1488	1992	svchost.exe	notepad.exe
PID 1992 wrote to memory of 1488	1992	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
"C:\Users\Admin\AppData\Local\Temp\f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe
  "C:\Users\Admin\AppData\Local\Temp\f7ba9baf-82b3-546b-222c-2f2551e2f1da.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Deletes itself
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1488
    - - \??\c:\programdata\{7A170002-007F-1F6E-B7D4-CD811475628E}\d7a8d09d.exe
        
        c:\programdata\{7A170002-007F-1F6E-B7D4-CD811475628E}\d7a8d09d.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - \??\c:\programdata\{7A170002-007F-1F6E-B7D4-CD811475628E}\d7a8d09d.exe
        
        c:\programdata\{7A170002-007F-1F6E-B7D4-CD811475628E}\d7a8d09d.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1996

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{7A170002-007F-1F6E-B7D4-CD811475628E}\d7a8d09d.exe

Filesize
312KB

MD5
bfef91bacc33b5424ea2a40245fd9039

SHA1
a9c60eb8dabc24b04eaf99c3c613f6d5c1a19b41

SHA256
f2bae4d8912682525ecd787fb921c3b57d8672c44ea73eb23c0ab278cf1fb939

SHA512
19de586b1ec80cabd40d78e02e7cd8f5d868c9a907433dc9b6fb16747157d4a613d17cad43e249841cb841b0838bd33cf15eb413d8510f62975ef6c0b24ff2e3

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
memory/1488-17-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/1488-75-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1756-33-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-40-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-38-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-34-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-39-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-42-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-43-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-44-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-32-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1756-41-0x0000025D77440000-0x0000025D77441000-memory.dmp

Filesize
4KB

Download
memory/1992-73-0x0000000000680000-0x00000000006B5000-memory.dmp

Filesize
212KB

Download
memory/1992-70-0x0000000000680000-0x00000000006B5000-memory.dmp

Filesize
212KB

Download
memory/1992-76-0x0000000000680000-0x00000000006B5000-memory.dmp

Filesize
212KB

Download
memory/1992-72-0x0000000000680000-0x00000000006B5000-memory.dmp

Filesize
212KB

Download
memory/1992-71-0x0000000000680000-0x00000000006B5000-memory.dmp

Filesize
212KB

Download
memory/2892-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-74-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3052-11-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3624-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-5-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download
memory/3968-9-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download
memory/3968-18-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download
memory/3968-7-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download
memory/3968-8-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download
memory/3968-12-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download
memory/3968-6-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download
memory/3968-10-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads