Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 19:43
Static task
static1
Behavioral task
behavioral1
Sample
Cryp_RAT.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Cryp_RAT.rtf
Resource
win10v2004-20241007-en
General
-
Target
Cryp_RAT.rtf
-
Size
662KB
-
MD5
1fc2941b70df9dd6cdf4cb82af740fe9
-
SHA1
e5d18e3487ca2d5037215c0e0ebfaf7ccae1c655
-
SHA256
44b87df9f68f5a3084c7d80c1c7492ca5209e816a4e83fdbd6e2fcb6f1ff936f
-
SHA512
d5da156e406093bfd398d78a36962360ed6918d6b96e641843e7eeddbd6fe41c0a1681bf0a4fe9e31be22d7b1e16267e62abafc9c14d1dea223e72f3ef810081
-
SSDEEP
12288:6NtcndUa0XzmFe4lT+F4qZDGefM4qeF4C:6Oua0XzmFFI+7Z4VT
Malware Config
Extracted
C:\TdGeIqAUn.README.txt
lockbit
Signatures
-
Detect Neshta payload 7 IoCs
resource yara_rule behavioral1/files/0x0007000000015d87-13.dat family_neshta behavioral1/files/0x0001000000010312-26.dat family_neshta behavioral1/files/0x0006000000016d36-1039.dat family_neshta behavioral1/memory/2636-1094-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2260-1095-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2260-1099-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2636-1097-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 5 IoCs
pid Process 2636 Client.exe 2600 Client.exe 988 Client.exe 1916 69BB.tmp 2260 svchost.com -
Loads dropped DLL 32 IoCs
pid Process 2684 cmd.exe 2684 cmd.exe 2636 Client.exe 2600 Client.exe 2636 Client.exe 988 Client.exe 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com 2260 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Client.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini Client.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini Client.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\TdGeIqAUn.bmp" Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\TdGeIqAUn.bmp" Client.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1916 69BB.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2600 set thread context of 988 2600 Client.exe 37 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE Client.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe Client.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe Client.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE Client.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE Client.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE Client.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE Client.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe Client.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE Client.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE Client.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe svchost.com File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE Client.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE Client.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE Client.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE Client.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE Client.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE Client.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe Client.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe Client.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe Client.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe Client.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE Client.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe Client.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe Client.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE Client.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE Client.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE Client.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE Client.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe Client.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe Client.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE Client.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE Client.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE Client.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE Client.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe Client.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE Client.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe Client.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE Client.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE Client.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE Client.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE Client.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com Client.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69BB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2724 EQNEDT32.EXE 2796 EQNEDT32.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "10" Client.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop Client.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Client.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.TdGeIqAUn Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.TdGeIqAUn\ = "TdGeIqAUn" Client.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TdGeIqAUn\DefaultIcon Client.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TdGeIqAUn Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TdGeIqAUn\DefaultIcon\ = "C:\\ProgramData\\TdGeIqAUn.ico" Client.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2084 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe 988 Client.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 988 Client.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2600 Client.exe Token: SeAssignPrimaryTokenPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeDebugPrivilege 988 Client.exe Token: 36 988 Client.exe Token: SeImpersonatePrivilege 988 Client.exe Token: SeIncBasePriorityPrivilege 988 Client.exe Token: SeIncreaseQuotaPrivilege 988 Client.exe Token: 33 988 Client.exe Token: SeManageVolumePrivilege 988 Client.exe Token: SeProfSingleProcessPrivilege 988 Client.exe Token: SeRestorePrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSystemProfilePrivilege 988 Client.exe Token: SeTakeOwnershipPrivilege 988 Client.exe Token: SeShutdownPrivilege 988 Client.exe Token: SeDebugPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeBackupPrivilege 988 Client.exe Token: SeSecurityPrivilege 988 Client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2084 WINWORD.EXE 2084 WINWORD.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2684 2796 EQNEDT32.EXE 32 PID 2796 wrote to memory of 2684 2796 EQNEDT32.EXE 32 PID 2796 wrote to memory of 2684 2796 EQNEDT32.EXE 32 PID 2796 wrote to memory of 2684 2796 EQNEDT32.EXE 32 PID 2684 wrote to memory of 2636 2684 cmd.exe 35 PID 2684 wrote to memory of 2636 2684 cmd.exe 35 PID 2684 wrote to memory of 2636 2684 cmd.exe 35 PID 2684 wrote to memory of 2636 2684 cmd.exe 35 PID 2636 wrote to memory of 2600 2636 Client.exe 36 PID 2636 wrote to memory of 2600 2636 Client.exe 36 PID 2636 wrote to memory of 2600 2636 Client.exe 36 PID 2636 wrote to memory of 2600 2636 Client.exe 36 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 2600 wrote to memory of 988 2600 Client.exe 37 PID 988 wrote to memory of 1916 988 Client.exe 41 PID 988 wrote to memory of 1916 988 Client.exe 41 PID 988 wrote to memory of 1916 988 Client.exe 41 PID 988 wrote to memory of 1916 988 Client.exe 41 PID 988 wrote to memory of 1916 988 Client.exe 41 PID 1916 wrote to memory of 2260 1916 69BB.tmp 42 PID 1916 wrote to memory of 2260 1916 69BB.tmp 42 PID 1916 wrote to memory of 2260 1916 69BB.tmp 42 PID 1916 wrote to memory of 2260 1916 69BB.tmp 42 PID 2260 wrote to memory of 1780 2260 svchost.com 43 PID 2260 wrote to memory of 1780 2260 svchost.com 43 PID 2260 wrote to memory of 1780 2260 svchost.com 43 PID 2260 wrote to memory of 1780 2260 svchost.com 43
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2084
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2724
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd.exe /c%tmp%\Client.exe AC2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\Client.exeC:\Users\Admin\AppData\Local\Temp\Client.exe AC3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe" A C4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988 -
C:\ProgramData\69BB.tmp"C:\ProgramData\69BB.tmp"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\69BB.tmp >> NUL7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\69BB.tmp >> NUL8⤵
- System Location Discovery: System Language Discovery
PID:1780
-
-
-
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD510ccea80be2cade9008a7eb13d0361b2
SHA1fa7013e37939eb3e50c2f585dbe10c50a5e1fc95
SHA2568acca1c01ebb498d0243a9ef07bbb7e626d94a31e6748478c182dca6d1f77bb2
SHA512a19ade88b277dff35fecca1da70e78d97b85cdfc5ecc6717bcb247b0ef1f18bf2460515f8e70fb7e8d583aff407fb3f742cea2b71a88323e2145438fc0f7bf44
-
Filesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
Filesize
289B
MD547bf1514a0892e2468125cbf3b32caa9
SHA1c3c24479ebefd9a0a05b0db879941951a702c77b
SHA256a0c4eeae47956b19b2667ae5c94a154fc5002a78dea22e028049ece1d7a0c920
SHA512252d78c25d9d5bd3eece76ce940cfadd6f80a81f59fea34c37495388cba4baccf1982cc2098cba28ee933b1d18cfbaa485b9e0fafa1791edfc5c86dd463329aa
-
Filesize
316B
MD595bb648d6eb9265eeaf0f889731b1e23
SHA1631d60a024835f4e53ceb9d0a987ce52fe517df4
SHA2569639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c
SHA512184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420
-
Filesize
282KB
MD5035a441e07c7d7797cccfc92a988e156
SHA17d33fe3c6e43ae0440db5fc51d7d9fe653379902
SHA256f00b211b5f93e23409e9383930c79990949b3671b1c1e0dc00208bb1c8f1e10d
SHA5129b10c302581fed3b186ee9ad598ba98597318ae09a538eaedab7bffa0db5d4dea82d1a2ae4e320e210575763073f0e58be9416e8758ab495b02f9a54360a6636
-
Filesize
282KB
MD5fb8b7d00715bfb4bf6818ece19bc5f5b
SHA131b16dbdd5e2f39e8c52288dd08d49f4463254a8
SHA25623f5ae3dfaa5c5b1eda7f6a839d2a3b2a075816b17d51315f99b0024d7884db5
SHA5124be3401c6adcda96a44669e7891ed5d884c601b121e5c92cb16412944a245dfd7696a374825f8de611a9bcbefc9c81471864754bfe23931aff1b67d571f14801
-
Filesize
323KB
MD52b9a1b7a5e13b8672655d0a09ce50217
SHA12b62dbb4edbc5460bb42e790ca1a4ba7a4821362
SHA256f6c559c031b7b16b1edf34b38e74b6bf3a7106ca34881d7f5c63b8e0d7ac3694
SHA512db34521fbd83a5c9a3671f2ed14854e98c83256a8e16b809d7a165754e5f02c3c6b7dd1f4e994be7e859da5a5a852b5a93d4846cefbc6985d81a56a34a766f52
-
Filesize
405B
MD5ca5b0d889e6f9471bb28c71ce0ca6f8a
SHA1660a2caeae6c9ac26c755e704883ecae1b4d5032
SHA256194b780fa6ab17eb510a3806b8eb96f66a44a27f583369e42291af19e4e6772d
SHA51270666ab7bbadf30d7b9164828180c2c0738295553f96c9b4ef204abff453b885acafc41248acc0f47e481f88de1166aa1b03e1da9ca57a7c42ac63bd7e3474f9
-
Filesize
40KB
MD527cc46f9e49226bff7bd9d80ceb6f00b
SHA1ce38b70cb368a5047c32a63f5c1942e04e1d8d3d
SHA25691a8a010b76f69ec29934c4d0fa207c54850daa5941aeccea941d46e0525fc27
SHA512c3a9d7886aa34ef77bffdc55c5aa59eff8eed4367b514606f197590cf63deadf5f1e83b4aaf5d87e668e5e5f710ee0737b7cf64416892fcdfc6430f28b356f65
-
Filesize
129B
MD5f4d4f5fade343f1298fa34816d58c4e8
SHA1280288e9b44c12a8a0e89fe7e3201019c20bea99
SHA256baf77d46b0b0808b7eea0512d39031c2514f1c44f0051dbd23de82b392fcce1c
SHA5126b90713c9cdba913d766688a9cbd0c0beb0c865342d64a4f1aaf09468b8cfde6ffb9360c30579c1e7b0274f02d7ff3bb25f3569689f891895e195daa21e1baea
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
145KB
MD59d10f99a6712e28f8acd5641e3a7ea6b
SHA1835e982347db919a681ba12f3891f62152e50f0d
SHA25670964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA5122141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5