bdaejec | 17868087c32d9352d79b07c1b1c6a0fdc7925d02b72c0fa2f45706cef26a1ee9

Analysis

max time kernel
117s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-02-2025 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
Size

1.6MB
MD5

bb9832dba928c04e45429e8f641034c6
SHA1

3502d220e47c1eaabd7f489111ebb063305f06a8
SHA256

17868087c32d9352d79b07c1b1c6a0fdc7925d02b72c0fa2f45706cef26a1ee9
SHA512

2fbdf703d2f5235ada65bb0b35144ad5290261f490baac418943ecda1c43c5b083b558fe1a423a692b57c810b8cfa6dad14e50ad545e7d4c7b809132a84e85c2
SSDEEP

24576:mMp+uOXsCkPVqqAGyyw7Yhma1c4m6pcoagAJHNvay:aVXkWDyWYhmaZaSs

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 2 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/2704-12-0x00000000001C0000-0x00000000001C9000-memory.dmp	family_bdaejec_backdoor
behavioral1/memory/2704-41-0x00000000001C0000-0x00000000001C9000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000012118-8.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2704	fHYwvi.exe

Loads dropped DLL 2 IoCs

pid	Process
2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	fHYwvi.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	fHYwvi.exe
File opened for modification	C:\Program Files\CompleteUnprotect.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	fHYwvi.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	fHYwvi.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	fHYwvi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	fHYwvi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fHYwvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c556ca2cd1f86f4d8f951fb487e9d5e600000000020000000000106600000001000020000000c9387df12de64c78c03c431147c00c20bb0d2a226627aec4e1425d91242f2783000000000e8000000002000020000000ed0dd67e30174b374ad4ba5d93969a5fdfd3d20e41a859e8289efd46016a5e0f90000000532b0a7edc98341de9f320371416d33ac8a4295f2a70479219bfd6973b9cb0e48dd73f5dc0e8e8f92a1b9ffabd29c0b68c88fe5ee2f6164adc27d18523ad9ce8f0c76c49767d2c5764f55ead133afbec024413eb5aa712dc024bc90e8270b663ac9cae229d5ded6a7ad7d0bbccfd034371d9c2ff90b077d4579b56e4ea425658c1f2a14dad57db2c8f0f8a9b8adc57ae40000000b3423e6310112fae5f9f089dca83cfe38f8178c30bfce9bd0e78ee8a3235cfbbd8ac4ab921a2cb41ce23315f862d5ffe55fc30d7fa3093ad5524c89a7c9737b4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446504645"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5DEFC891-F225-11EF-ABFC-465533733A50} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 900321333286db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c556ca2cd1f86f4d8f951fb487e9d5e6000000000200000000001066000000010000200000009e84299241ef6619c29f38a985c3556feb0750386c488b50856970a1069fb106000000000e800000000200002000000095b1278cac9728c06d2af81c259408dd008ac81c85e6a3f35f5c1f134e28f29b2000000018edcdc413e56210a466da089157f31a8531b12ad21be6e52a0fbde27106788740000000e0a5be4b0ef02d5a0fc013488f9a94593ba68de5cdc3548c04f318ff5e6aa7457803693f929c74f2e766ef71ca41f5a3e4321ff188733164b8e55410e68ae333	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1632	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
1632	iexplore.exe
1632	iexplore.exe
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2704	2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe	30
PID 2176 wrote to memory of 2704	2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe	30
PID 2176 wrote to memory of 2704	2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe	30
PID 2176 wrote to memory of 2704	2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe	30
PID 2176 wrote to memory of 1632	2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe	32
PID 2176 wrote to memory of 1632	2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe	32
PID 2176 wrote to memory of 1632	2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe	32
PID 2176 wrote to memory of 1632	2176	2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe	32
PID 1632 wrote to memory of 1580	1632	iexplore.exe	33
PID 1632 wrote to memory of 1580	1632	iexplore.exe	33
PID 1632 wrote to memory of 1580	1632	iexplore.exe	33
PID 1632 wrote to memory of 1580	1632	iexplore.exe	33
PID 2704 wrote to memory of 628	2704	fHYwvi.exe	38
PID 2704 wrote to memory of 628	2704	fHYwvi.exe	38
PID 2704 wrote to memory of 628	2704	fHYwvi.exe	38
PID 2704 wrote to memory of 628	2704	fHYwvi.exe	38

C:\Users\Admin\AppData\Local\Temp\2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-23_bb9832dba928c04e45429e8f641034c6_icedid_smoke-loader_wapomi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\fHYwvi.exe
  C:\Users\Admin\AppData\Local\Temp\fHYwvi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\3b3f2949.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:628
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ventrilo.com/tutorial.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49375fe0abfc6268182b0bee9d19c9d2

SHA1
7734bea14e92df937f18d0bb67c1cf23cc558ef4

SHA256
68ca587a79c24ac17e16073a6ef7bf761dee7d431c31ad94613eca3fd783bf14

SHA512
73ce7be375332b1c6647dcd9f16523157a7b8433e03a1adbc961b0d04c15e1efd86af8b13f53f5c885073d56cf2c4e3e254868180e9a6c3c35da3aacb83e1a21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af023ff4443547e47da9d373ae240362

SHA1
d508c57e641ad8e04b05771e9424dec9c8ff3466

SHA256
b1a06189dd82e5837f80f22985eb1d37e6fd177144bc63b281f945b398fa26de

SHA512
0eb3f31b25eb22dc53d23f4bd1f98cf516e58f473aca2a8651d0fd7d93aafca28855eeda1850c3269737c15b7e7413c13d672258a03b80c6d360a9b53ac7ab85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd5b1e0cb4b915a74a3f49ea6c8bfcb7

SHA1
f0cffbad959d72e3db3fc55a501206d559fd70ed

SHA256
f2619d4fbfc236968848df450957f8addd5e309dd7aa5dfe5c2bb460dc35982c

SHA512
fb0b63cdac86398cd785696cc4e5f4f3f18096d9151fe7f48495f55bab115519a2b4a7ef22c922527698848ab2fb46aafe186dd21a92d46f8b3efe9e35a72080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
152895f804db88e2209049cc7e276a53

SHA1
99d6b1b3d2fc08db3639766790b0cb9bcd0129c4

SHA256
a0ee7b6ad8f87343954db796fa49e81db13308887c565c420f5958286d6bfccc

SHA512
f700408768d0e040fa7b8ae3145dbfbd78eb6458060e8f78da15560acefba7be42ad86493ccca69245cb977208d44be41493042e58634011f78b62b8dcad3fc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9116e010de799db897d6c016c15995b

SHA1
5c70719f2abf6d6f22bced712d724189b5330476

SHA256
87520ce16d718e2e2e02ba18224d6f660c9d635d1e096493251fcf02586d60f1

SHA512
40c2ac2fcdbb6edc8e954c196ee00ad27215b018df065c40f87b006a9a4af2c66592a6d4d01e12b3d8069ffcd2e7332d6ceea3d2dcd68c49bf3daa9c5bd45a9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2288d747fca88ed6d14977947f4a6db6

SHA1
0790219a23f6a376055f9c8c0cca73cf8b803b92

SHA256
5c9af88b0cb933d6b2d1ea685c9c41749cd822ac8bb6560a821b20eae7171007

SHA512
7589b80cbe3d619b679b355cc4b4001ee848f9ffe998c2f607b627b24552f5912eeeb8a9a7309c7051e3e3b3a4a6ddea5e3fe7d2fb15b3e4bcf606ea1455b30f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
882a0ce0ebe76ed0f551bf723408daa4

SHA1
346ba921ecb0edc0b5976c7e136fcac1cd0eead5

SHA256
fd803e19ff0a1676af69c6a0788496c72f6fbd262b8e12a0fa66cafb0640bb82

SHA512
c805fc4d9ce92fabf1351ada43a2738c9aa50d9d7e2844fc6d5d5a6c5915b23535e9f63597c331af1b582a53f5a07b66abe225341571f5084781df09966a241e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2545907907d4e0136ed5526f4c80e422

SHA1
b8ee698f57959e782e350fd5bb9097d154ebd063

SHA256
6fe245baf30fc4668b30e7c0cad7f2fe5dc5b722ca0f3d4f3245181b8c82a36f

SHA512
e14f8499627831f05643771211a1ab7bf180594e632e3fe19149d14bbc083b7feb703b30d6f29f1dad18815800294d40c8337c191c372bfd4d14ba9605eb5977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cb64fe6611b40b9c5ef1eab89551dcb

SHA1
3957859022c97ce00f916c509dec78151558cebc

SHA256
125c54d11fb6af8f582bcd911d9853e2b76286250f7e145bac01e1c42e938e83

SHA512
9b8e9762e1b22b7bd1839ed4e92e3ecad6e45ec48f09d8631e67ce90038d3686369e4641e390fb763acbb3e4af9b4bc3662f35c88c8502afa63aa8efd8eec8a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c5fc4d5b950b290ca0fc221ea49cd2a

SHA1
7348f8c0ad3808d4ba6892098ab2b9a05f4cb60b

SHA256
d0fe92a403bb3c1ace8b1c73e8fc4caca8493524f94e23c10ecba6f0ecc8a106

SHA512
bec666938e77fbd82943f9ba4682c9761993879497ca6de6d5449f917651c7e9efc799ac4b0bca0101534d856ade9b9abeb218589e0636e3df7eedb4e6a28281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dbf0e149ea86d5c0b60875c54235e71

SHA1
cc966c1ef26d60c6179d667fc37b02127c7a3ed2

SHA256
ea2b2110e4cced26b869056d4556f119172c74124162c137e4f212a0d7021da4

SHA512
52c88b5e609c7ff3d19304843d2f11d8ec30a726c162f89523d8cdd08c1c378098588695f9b7a0a0c7260a72c3bc79cd8bb4ff62d93e96edc8201b5e0a44c2d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e2b00a05766d6da725eca1fee615276

SHA1
985a546ba019d1fb22fbb17967b4abca00c1a6c4

SHA256
2d988b83ab955aacafd520183da7ddb3a7013bd8de82de3fd2563e2b7887df15

SHA512
baa2a1900ac42fa10517f79e4411e1b3c5f67e29d8d94004a9a5901d35d3d9c9cec658586e8aa9d4f50ba930b471f061ff7e9a7235886638c35b723d13eef78d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e88f4815769e99e441ac99356558f71

SHA1
9c259e1ea19e8ed40f4dff3247a4df63ccbaf4cb

SHA256
75bcfa295137d97038a851f0cd7ed203b9d3806320703168f12a7575f8141bc6

SHA512
3e0137ef5e074989402922417043513a3649ad47e16c544c9269a888bd57df2897f54bd4e6994e686d0a18451a693137cdbbb3aa62266cf61c797e8e765a67df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b1761b78f76f349e54fd0e71402d6f6

SHA1
c678d9490f48ec01dcfc92db5731263d1ade3392

SHA256
3362d3dc244a4ff3b03b14b8f342b37ede068e1a0879cd3015e718e39a2613f1

SHA512
027a8e8df69f62efd75a421424b6b561bfbda4f1228e5155c2b2a0b536ffa90a78fcbc43e1b0e5cc33d2d9a7e0270f0c20de1929c0f81a357851636554ba07a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1468f97e3f296698a925254563e46ca2

SHA1
de2aa1f05fdbd14085225c482fa8c20f550871e7

SHA256
acda53e2074bec48d2a765d5e06cbb94ad893f2c70b2a70ee4cc8392ba3f43e6

SHA512
aa22fa46b549461be47518af7126a114abc9efc9dc24494e372171305f0d1c312a99bee25642492e086a4816f1d8510a04785e0b3e1ddcae4d10e771e0c2b2a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6f49258f1501dd8fdf2c78c521e4aff

SHA1
448f10cea99c2e5e07e214e48eaeacd72f4aad06

SHA256
06a0bf0772fe133089ea5ec5d151198a4b8ed7830f6103d0fcdd39d183c85d4b

SHA512
3369a4bcf905e399b6853d3ed29e8e350a5f6f3a5b51af37894cc9ba1d1ff1dcdd90d20b09c8bf410091d08d2cadea54f883dd88e26acd364e3daaab895c5e86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf28e40a9fd5208a2fe19ee4a90a0b9b

SHA1
ec16cd726461429314e62443771a4906e064f5af

SHA256
13138322d746e65ac93577c4f5766b1cdaeeaa632ed352df8937fc4c1dbf4bec

SHA512
353992555462f7846fd4cbc72947a8344dfc951966a0bdbb3746d47be5e86618d1157f1db518cdf7dfef408c31a07b5fa3b7a7b5cf61f7f92a7c2a4ce4ad78c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6366aa47e686d65fc603cabb5b0e556

SHA1
757c557c29aa859515432b8b20e35d89ab674324

SHA256
123d085e281b476c9335b09e5976009e8f238534e0c2ab17c72d1c36022c2531

SHA512
4d9e9920fa1db730f4e12ca08dd517289846f36e67715b80c7526863e19411e13b8d5e079d427a4b08466487dd732531cc385f13a7bf2cb509cdc9b2d7559227

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bfd09efe85074fdcf376ac37566db6f

SHA1
927de2a0a4116489b9697635bb3f79231bf6ab84

SHA256
982d7c3940b4ecd7b690c7a16679d3e4deeb7e3c6e9984637f219798ba7efe96

SHA512
800402abb986334acaebd2e6283e8bdb956fbce292db978b41e585ed8fec2a57b0401cba280ad27aa818cd141d38b1fd974ba327d9dee88a0140aeee302cf61a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff9a2cc5843761a47fd3ac9b7ec4ce40

SHA1
c87eb3c23f744e054a9507bee6780af560411e23

SHA256
b59ec4f92c2e373481268f2f5f804a351d4eb7d76c63815bf7628b16fe2170d0

SHA512
3bbee102710bc31429110b5fe46d17f36097cba3ef32da605cf031c69fb963d7637daae1bb9eb695fbad1f2fbbeb39defee8cba6f9920a4476cd8fc14a5f7afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bl977i7\imagestore.dat

Filesize
21KB

MD5
db52f58a409282795750823192ca9302

SHA1
36abe583812fab9393504649d967b822bdc46f23

SHA256
cffa8d1cbe549df945a4bcc9f900802c7f7f965a3279e7e01b1591bbdd294b54

SHA512
4ed5e0bdb0a16078fea89d8c79c7e78aff78acea29c49cdf529e75ec8209876b7978fe0b62827105e01b58ff89ec7fd83bdb34d49baed9bbf9e2e965afdf7669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\touch-icon-16[1].png

Filesize
21KB

MD5
8226f4233d78108960bde82b9ef500f8

SHA1
cd29f165ac5a3a32863141b2754a96574021d36b

SHA256
13c7ed2aa0b99d2484582573775b521633619c7db3323c8b4848ef32cd937182

SHA512
82bf5175de70b05e27ff21709afb04a9cd1fa6c8c63c145d3a48eaadef9bf910d85b43bf1154ac740f5b983a9e2bdc77e7da928551804bcb07c16121dcb76f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b3f2949.bat

Filesize
187B

MD5
215d71803428a0acfb400c669067e37f

SHA1
2e884dd2d9b9297f8b13bdfa6833972f5dd00d82

SHA256
abcd57a5ae7a1fb0923f22fb8b6981722ba66970db90a2e896492bf43dd05b54

SHA512
8c9fd611e8c82c72f2179715bb2314f6baf886a3bcb5bba52bec430a60d4e2824bf48ad42d334710c9a4604f2aa8b42692c0d7e90a596a5d65f0df0b3abb39dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7917.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar79C8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fHYwvi.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/2176-11-0x00000000002A0000-0x00000000002A9000-memory.dmp

Filesize
36KB

Download
memory/2176-0-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/2176-10-0x00000000002A0000-0x00000000002A9000-memory.dmp

Filesize
36KB

Download
memory/2176-17-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/2704-12-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/2704-41-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download