Resubmissions
19-12-2024 07:19
241219-h5ky9svjdx 1019-12-2024 07:17
241219-h4paastrhw 1019-12-2024 06:38
241219-hebynstnaj 10Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-12-2024 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9c11fc00bd4da4b93c834e5f0d65de37658f0b878a9c2b3c4055a8742b6affa.exe
Resource
win11-20241007-en
windows11-21h2-x64
15 signatures
150 seconds
General
-
Target
f9c11fc00bd4da4b93c834e5f0d65de37658f0b878a9c2b3c4055a8742b6affa.exe
-
Size
473KB
-
MD5
b4406153f1df78ecd5a8a9dd6c44df10
-
SHA1
83cd4551d0087300cd4f08a58b947c6e9a999227
-
SHA256
f9c11fc00bd4da4b93c834e5f0d65de37658f0b878a9c2b3c4055a8742b6affa
-
SHA512
6ddb874f324211493445a702ae3cfd9104e3e628f61df6eec5b517b841085a483eaac6eb3234a92e836f307d91dba252f601035a0baea37238eaa7108b925aef
-
SSDEEP
12288:5CQjgAtAHM+vetZxF5EWry8AJGy0Bs+tGeJf:55ZWs+OZVEWry8AFqcI
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTMxODEwNzExMzIxNzcyMDM0MA.Gra180.ZB3ql0V1ISsfHNmIYjIAoYWHwYCVngKH7geZ5E
-
server_id
1314879064468754498
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Executes dropped EXE 1 IoCs
pid Process 2184 backdoor.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: SearchIndexer.exe File opened (read-only) \??\x: SearchIndexer.exe File opened (read-only) \??\b: SearchIndexer.exe File opened (read-only) \??\J: SearchIndexer.exe File opened (read-only) \??\P: SearchIndexer.exe File opened (read-only) \??\Q: SearchIndexer.exe File opened (read-only) \??\u: SearchIndexer.exe File opened (read-only) \??\M: SearchIndexer.exe File opened (read-only) \??\N: SearchIndexer.exe File opened (read-only) \??\O: SearchIndexer.exe File opened (read-only) \??\T: SearchIndexer.exe File opened (read-only) \??\U: SearchIndexer.exe File opened (read-only) \??\Y: SearchIndexer.exe File opened (read-only) \??\z: SearchIndexer.exe File opened (read-only) \??\A: SearchIndexer.exe File opened (read-only) \??\D: SearchIndexer.exe File opened (read-only) \??\R: SearchIndexer.exe File opened (read-only) \??\t: SearchIndexer.exe File opened (read-only) \??\W: SearchIndexer.exe File opened (read-only) \??\y: SearchIndexer.exe File opened (read-only) \??\a: SearchIndexer.exe File opened (read-only) \??\r: SearchIndexer.exe File opened (read-only) \??\S: SearchIndexer.exe File opened (read-only) \??\k: SearchIndexer.exe File opened (read-only) \??\V: SearchIndexer.exe File opened (read-only) \??\Z: SearchIndexer.exe File opened (read-only) \??\E: SearchIndexer.exe File opened (read-only) \??\g: SearchIndexer.exe File opened (read-only) \??\i: SearchIndexer.exe File opened (read-only) \??\m: SearchIndexer.exe File opened (read-only) \??\o: SearchIndexer.exe File opened (read-only) \??\p: SearchIndexer.exe File opened (read-only) \??\w: SearchIndexer.exe File opened (read-only) \??\B: SearchIndexer.exe File opened (read-only) \??\l: SearchIndexer.exe File opened (read-only) \??\L: SearchIndexer.exe File opened (read-only) \??\H: SearchIndexer.exe File opened (read-only) \??\j: SearchIndexer.exe File opened (read-only) \??\n: SearchIndexer.exe File opened (read-only) \??\v: SearchIndexer.exe File opened (read-only) \??\X: SearchIndexer.exe File opened (read-only) \??\F: SearchIndexer.exe File opened (read-only) \??\G: SearchIndexer.exe File opened (read-only) \??\h: SearchIndexer.exe File opened (read-only) \??\s: SearchIndexer.exe File opened (read-only) \??\e: SearchIndexer.exe File opened (read-only) \??\I: SearchIndexer.exe File opened (read-only) \??\K: SearchIndexer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e54ff76fe651db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb3e2d71e651db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9f42c74e651db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffb55e6fe651db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000357e3674e651db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1688 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2184 backdoor.exe Token: 33 2100 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2100 SearchIndexer.exe Token: SeDebugPrivilege 1688 Taskmgr.exe Token: SeSystemProfilePrivilege 1688 Taskmgr.exe Token: SeCreateGlobalPrivilege 1688 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe -
Suspicious use of SendNotifyMessage 46 IoCs
pid Process 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe 1688 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4264 OpenWith.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4456 wrote to memory of 2184 4456 f9c11fc00bd4da4b93c834e5f0d65de37658f0b878a9c2b3c4055a8742b6affa.exe 77 PID 4456 wrote to memory of 2184 4456 f9c11fc00bd4da4b93c834e5f0d65de37658f0b878a9c2b3c4055a8742b6affa.exe 77 PID 2100 wrote to memory of 4412 2100 SearchIndexer.exe 84 PID 2100 wrote to memory of 4412 2100 SearchIndexer.exe 84 PID 2100 wrote to memory of 4232 2100 SearchIndexer.exe 85 PID 2100 wrote to memory of 4232 2100 SearchIndexer.exe 85 PID 2100 wrote to memory of 5036 2100 SearchIndexer.exe 86 PID 2100 wrote to memory of 5036 2100 SearchIndexer.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9c11fc00bd4da4b93c834e5f0d65de37658f0b878a9c2b3c4055a8742b6affa.exe"C:\Users\Admin\AppData\Local\Temp\f9c11fc00bd4da4b93c834e5f0d65de37658f0b878a9c2b3c4055a8742b6affa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4412
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 1532 1544 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}2⤵
- Modifies data under HKEY_USERS
PID:4232
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 1716 1748 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}2⤵
- Modifies data under HKEY_USERS
PID:5036
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4264
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5c1dd3be72fe23b81d9f027449411dadc
SHA1cfdf1a1cc5a4f669236925e5a95b45212f9c55a6
SHA256c2c44ed09535bc478c604f525a409d072b737f420bdbc7263aaeebd4d81dffce
SHA5128802d1c1fa2cdab19e0a6e0881d2819df3c2b0515c56658a5431a4fcd3288a6f3774e89180a1f375951d1579e88f060cfca036c91f572bf139fdd9826209bf4f