1ba569c631438a0fb356441838ff328835d607e7cdb217cc444923c1ec58337b

Resubmissions

20-01-2021 09:31

210120-y3h9wsa5de 10

11-01-2021 07:47

210111-ejedv476k6 9

Analysis

max time kernel
137s
max time network
126s
platform
windows10_x64
resource
win10v20201028
submitted
11-01-2021 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab3580b5eb547523abf3c29133504c64.exe
Size

5.3MB
MD5

ab3580b5eb547523abf3c29133504c64
SHA1

8f3d44bb3a48a76be53b8e6d227b5dda432ed5b5
SHA256

1ba569c631438a0fb356441838ff328835d607e7cdb217cc444923c1ec58337b
SHA512

5a3c89cd5f73ae2d2330cc362d58556280b2ca5196aa1643982c3622936c024088ed3cbc72f5489fe2c326495b82cb69cbeacb81d112ca9fdf0af183c95b5ff4

Score

9^/10

discovery evasion spyware upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 7 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

24 4328 RUNDLL32.EXE
30 4524 WScript.exe
32 4524 WScript.exe
34 4524 WScript.exe
36 4524 WScript.exe
37 4328 RUNDLL32.EXE
38 4328 RUNDLL32.EXE
Executes dropped EXE 5 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exedunijgijkc.exe

pid process

3020 4_ico.exe
3748 6_ico.exe
2912 vpn_ico.exe
3560 SmartClock.exe
3536 dunijgijkc.exe

flow	pid	process
24	4328	RUNDLL32.EXE
30	4524	WScript.exe
32	4524	WScript.exe
34	4524	WScript.exe
36	4524	WScript.exe
37	4328	RUNDLL32.EXE
38	4328	RUNDLL32.EXE

pid	process
3020	4_ico.exe
3748	6_ico.exe
2912	vpn_ico.exe
3560	SmartClock.exe
3536	dunijgijkc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dunijgijkc.exe	upx
C:\Users\Admin\AppData\Local\Temp\dunijgijkc.exe	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn_ico.exeSmartClock.exe6_ico.exe4_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6_ico.exe4_ico.exevpn_ico.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	6_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	4_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	SmartClock.exe

Loads dropped DLL 4 IoCs

Processes:

ab3580b5eb547523abf3c29133504c64.exerundll32.exeRUNDLL32.EXE

pid process

1052 ab3580b5eb547523abf3c29133504c64.exe
4184 rundll32.exe
4184 rundll32.exe
4328 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exe

pid process

3020 4_ico.exe
3748 6_ico.exe
2912 vpn_ico.exe
3560 SmartClock.exe

pid	process
1052	ab3580b5eb547523abf3c29133504c64.exe
4184	rundll32.exe
4184	rundll32.exe
4328	RUNDLL32.EXE

flow	ioc
8	ip-api.com

pid	process
3020	4_ico.exe
3748	6_ico.exe
2912	vpn_ico.exe
3560	SmartClock.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn_ico.exeRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4144 timeout.exe
1528 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings vpn_ico.exe

pid	process
4144	timeout.exe
1528	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3560 SmartClock.exe

pid	process
3560	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

6_ico.exe4_ico.exevpn_ico.exeSmartClock.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3748	6_ico.exe
3748	6_ico.exe
3020	4_ico.exe
3020	4_ico.exe
2912	vpn_ico.exe
2912	vpn_ico.exe
3560	SmartClock.exe
3560	SmartClock.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
4328	RUNDLL32.EXE
4328	RUNDLL32.EXE
4924	powershell.exe
4924	powershell.exe
4924	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4184	rundll32.exe
Token: SeDebugPrivilege	4328	RUNDLL32.EXE
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

4328 RUNDLL32.EXE

pid	process
4328	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

ab3580b5eb547523abf3c29133504c64.exe4_ico.exevpn_ico.exe6_ico.execmd.execmd.exedunijgijkc.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 1052 wrote to memory of 3020	1052	ab3580b5eb547523abf3c29133504c64.exe	4_ico.exe
PID 1052 wrote to memory of 3020	1052	ab3580b5eb547523abf3c29133504c64.exe	4_ico.exe
PID 1052 wrote to memory of 3020	1052	ab3580b5eb547523abf3c29133504c64.exe	4_ico.exe
PID 1052 wrote to memory of 3748	1052	ab3580b5eb547523abf3c29133504c64.exe	6_ico.exe
PID 1052 wrote to memory of 3748	1052	ab3580b5eb547523abf3c29133504c64.exe	6_ico.exe
PID 1052 wrote to memory of 3748	1052	ab3580b5eb547523abf3c29133504c64.exe	6_ico.exe
PID 1052 wrote to memory of 2912	1052	ab3580b5eb547523abf3c29133504c64.exe	vpn_ico.exe
PID 1052 wrote to memory of 2912	1052	ab3580b5eb547523abf3c29133504c64.exe	vpn_ico.exe
PID 1052 wrote to memory of 2912	1052	ab3580b5eb547523abf3c29133504c64.exe	vpn_ico.exe
PID 3020 wrote to memory of 3560	3020	4_ico.exe	SmartClock.exe
PID 3020 wrote to memory of 3560	3020	4_ico.exe	SmartClock.exe
PID 3020 wrote to memory of 3560	3020	4_ico.exe	SmartClock.exe
PID 2912 wrote to memory of 3536	2912	vpn_ico.exe	dunijgijkc.exe
PID 2912 wrote to memory of 3536	2912	vpn_ico.exe	dunijgijkc.exe
PID 2912 wrote to memory of 3536	2912	vpn_ico.exe	dunijgijkc.exe
PID 2912 wrote to memory of 2040	2912	vpn_ico.exe	WScript.exe
PID 2912 wrote to memory of 2040	2912	vpn_ico.exe	WScript.exe
PID 2912 wrote to memory of 2040	2912	vpn_ico.exe	WScript.exe
PID 3748 wrote to memory of 720	3748	6_ico.exe	cmd.exe
PID 3748 wrote to memory of 720	3748	6_ico.exe	cmd.exe
PID 3748 wrote to memory of 720	3748	6_ico.exe	cmd.exe
PID 720 wrote to memory of 1528	720	cmd.exe	timeout.exe
PID 720 wrote to memory of 1528	720	cmd.exe	timeout.exe
PID 720 wrote to memory of 1528	720	cmd.exe	timeout.exe
PID 3748 wrote to memory of 4100	3748	6_ico.exe	cmd.exe
PID 3748 wrote to memory of 4100	3748	6_ico.exe	cmd.exe
PID 3748 wrote to memory of 4100	3748	6_ico.exe	cmd.exe
PID 4100 wrote to memory of 4144	4100	cmd.exe	timeout.exe
PID 4100 wrote to memory of 4144	4100	cmd.exe	timeout.exe
PID 4100 wrote to memory of 4144	4100	cmd.exe	timeout.exe
PID 3536 wrote to memory of 4184	3536	dunijgijkc.exe	rundll32.exe
PID 3536 wrote to memory of 4184	3536	dunijgijkc.exe	rundll32.exe
PID 3536 wrote to memory of 4184	3536	dunijgijkc.exe	rundll32.exe
PID 4184 wrote to memory of 4328	4184	rundll32.exe	RUNDLL32.EXE
PID 4184 wrote to memory of 4328	4184	rundll32.exe	RUNDLL32.EXE
PID 4184 wrote to memory of 4328	4184	rundll32.exe	RUNDLL32.EXE
PID 2912 wrote to memory of 4524	2912	vpn_ico.exe	WScript.exe
PID 2912 wrote to memory of 4524	2912	vpn_ico.exe	WScript.exe
PID 2912 wrote to memory of 4524	2912	vpn_ico.exe	WScript.exe
PID 4328 wrote to memory of 4640	4328	RUNDLL32.EXE	powershell.exe
PID 4328 wrote to memory of 4640	4328	RUNDLL32.EXE	powershell.exe
PID 4328 wrote to memory of 4640	4328	RUNDLL32.EXE	powershell.exe
PID 4328 wrote to memory of 4924	4328	RUNDLL32.EXE	powershell.exe
PID 4328 wrote to memory of 4924	4328	RUNDLL32.EXE	powershell.exe
PID 4328 wrote to memory of 4924	4328	RUNDLL32.EXE	powershell.exe
PID 4924 wrote to memory of 5096	4924	powershell.exe	nslookup.exe
PID 4924 wrote to memory of 5096	4924	powershell.exe	nslookup.exe
PID 4924 wrote to memory of 5096	4924	powershell.exe	nslookup.exe
PID 4328 wrote to memory of 1008	4328	RUNDLL32.EXE	schtasks.exe
PID 4328 wrote to memory of 1008	4328	RUNDLL32.EXE	schtasks.exe
PID 4328 wrote to memory of 1008	4328	RUNDLL32.EXE	schtasks.exe
PID 4328 wrote to memory of 196	4328	RUNDLL32.EXE	schtasks.exe
PID 4328 wrote to memory of 196	4328	RUNDLL32.EXE	schtasks.exe
PID 4328 wrote to memory of 196	4328	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ab3580b5eb547523abf3c29133504c64.exe
"C:\Users\Admin\AppData\Local\Temp\ab3580b5eb547523abf3c29133504c64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3560

C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\rgytcwbqagf & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:1528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\rgytcwbqagf & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:4144

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\dunijgijkc.exe
"C:\Users\Admin\AppData\Local\Temp\dunijgijkc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUNIJG~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\DUNIJG~1.EXE
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DUNIJG~1.DLL,ZloMfI0=
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD9EB.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFA94.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:5096

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:196

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\llcosxs.vbs"
3⤵
PID:2040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yonfuhhrwq.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rgytcwbqagf\46173476.txt
MD5
3865da5ff618a20632c1c6b67335523f

SHA1
edd746ceb30f95cee8c3e9fe2ef5a09222723a90

SHA256
f4e7acb9c98d3f60e3893a03f8c1dbcecdac04e1cb0c38d4adb57a9b516a24b2

SHA512
b3445f592c879fd7846b90f67f21bcc30bb8a4a14851d0085bcfd2e7d80001f3e9429f0fd9f917305d491d6938228360577c99f83b4bf3ded8a0c3b085079b87

Download Submit
C:\ProgramData\rgytcwbqagf\8372422.txt
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\rgytcwbqagf\Files\_INFOR~1.TXT
MD5
c34a41c9fa74e5952d888b16829aa44f

SHA1
5cede3294d280f6c3a40eb2f7afc1e7a6abfefdb

SHA256
cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f

SHA512
720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14

Download Submit
C:\ProgramData\rgytcwbqagf\NL_202~1.ZIP
MD5
323def85ac17b458bed15fec8dafb34f

SHA1
b91582e7b639c94c81a3a1d171e34ba1c2d6674b

SHA256
8d76a15a7d3664e5d4555d4d092dc348240a36d64dcf93651158c5add31ad62b

SHA512
0bc4cb7f4738f88ad7539c272009e229840af69034fdcf2405a4825ad55a0a9795c574638faf544ed51f0934df5c41f456705666078e87cffa5ba71f039f3e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
84c1fca6c6f4ba198b7d23500e8de4f1

SHA1
6429a7899cef866a474e4d6743cf47a63a1c7b14

SHA256
fbcd914c911ee1623756e57fb0661c39964da317ec2dde63ef7556bfc209740b

SHA512
91293047553650cb5996b5e9d859fd95f4de45c8ac5e23ecddb72b512e6755e730155adf1e3d79d4081a6b4832542bb42e08bfddfcb98a98e261c6450e41f3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUNIJG~1.DLL
MD5
34948fee52e13a7235d67d37176987ed

SHA1
283b2cb2bd6eed9068adc8459168a6eb4bbad714

SHA256
bb63539cdda267a487fd442f0cf2bf7f1db1baa6c06803d9e813037911383e92

SHA512
a11850d87259a99e43cf010ec00c444c771441de1408e291cfc7e46bac4fc4c01a846246dc4bcc4bd8a0a0fc8c9e0d7129c9aad4440b1ca7496cefd744248a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
71f6eef553f42fe4300bcd44cbf2421c

SHA1
0d9374664dda468a53ca6cdb464b34f8ac0261c0

SHA256
cfb73c6d673b7c8a255e9a2ec879f5f8bca66ede143159df49ce9d317f11f1b1

SHA512
2446be40d4677e052c949ee7337fda4e65a8f0f8c840f75a5e7dbd93f01661f0b817615ac51f9f739b42d9da53433bc73b7598020b1c6eb5869c937278f51ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
71f6eef553f42fe4300bcd44cbf2421c

SHA1
0d9374664dda468a53ca6cdb464b34f8ac0261c0

SHA256
cfb73c6d673b7c8a255e9a2ec879f5f8bca66ede143159df49ce9d317f11f1b1

SHA512
2446be40d4677e052c949ee7337fda4e65a8f0f8c840f75a5e7dbd93f01661f0b817615ac51f9f739b42d9da53433bc73b7598020b1c6eb5869c937278f51ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
203684b2e19985d2d273d1d863142993

SHA1
7a96a22969f42a1897e4911e47bf9e3429d05a1b

SHA256
b73de5f7ecb9556aa5b01ef57d46aa2b480d64c69bed1e63dbe833d91ef5dde4

SHA512
58e9daa4719cdc57faf50f6db56dffe8cb48743f07cfaf0eeb679ba02865fb876018342a34e5f9d66ba9861cca1139e74de8e8f704907fa689e79f214dd8a12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
203684b2e19985d2d273d1d863142993

SHA1
7a96a22969f42a1897e4911e47bf9e3429d05a1b

SHA256
b73de5f7ecb9556aa5b01ef57d46aa2b480d64c69bed1e63dbe833d91ef5dde4

SHA512
58e9daa4719cdc57faf50f6db56dffe8cb48743f07cfaf0eeb679ba02865fb876018342a34e5f9d66ba9861cca1139e74de8e8f704907fa689e79f214dd8a12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
b525579474c90a9ae21a47a4be5f53d9

SHA1
53effb7e648f17ae6f9b78950a5838a6780ba50e

SHA256
670ede153ab2c1f8fb5335d38172d854820bc413726e7552919e1c05a6878b0b

SHA512
97e01342451069ca4f378e883f3ad9dd542269f4e67182063845190897750a613d719eeabd0d6550b31fc4a98bae5d5a548551a42d169e57678e2ddd7f9b929b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
b525579474c90a9ae21a47a4be5f53d9

SHA1
53effb7e648f17ae6f9b78950a5838a6780ba50e

SHA256
670ede153ab2c1f8fb5335d38172d854820bc413726e7552919e1c05a6878b0b

SHA512
97e01342451069ca4f378e883f3ad9dd542269f4e67182063845190897750a613d719eeabd0d6550b31fc4a98bae5d5a548551a42d169e57678e2ddd7f9b929b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dunijgijkc.exe
MD5
39a1a0e88f429700d8324d534800d073

SHA1
48b784106249d141392d4686a0c533543489a801

SHA256
d87ffe03e043a5c33f674cdde0e730a3388dc49860e81d00a64027a221876e72

SHA512
84cda61bc04acc153666c40fad6d40ad22292fbe9351cb513e2cd5310a2905ae7ea7e1718bcaaf89ddeded44da69bfa5842fefdca7cb6aa347be583508d68222

Download Submit
C:\Users\Admin\AppData\Local\Temp\dunijgijkc.exe
MD5
39a1a0e88f429700d8324d534800d073

SHA1
48b784106249d141392d4686a0c533543489a801

SHA256
d87ffe03e043a5c33f674cdde0e730a3388dc49860e81d00a64027a221876e72

SHA512
84cda61bc04acc153666c40fad6d40ad22292fbe9351cb513e2cd5310a2905ae7ea7e1718bcaaf89ddeded44da69bfa5842fefdca7cb6aa347be583508d68222

Download Submit
C:\Users\Admin\AppData\Local\Temp\llcosxs.vbs
MD5
481244e808b980bf4fc46b2b61f0a496

SHA1
ad1dfbab690944e22a83fb328f960a5cff9ea525

SHA256
a693125448e61b048d53bd045c8ed9b24a3a1bb338e8c55906a80066dd7f78d4

SHA512
a851d22d0f34a647c545456fe704849c4e016315c83cf80d0c8631e77a7ff5ec2280e6c72170833957df0595e80cbe273dac65177e507a521d0e63b0d948ff73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9EB.tmp.ps1
MD5
5b8938c3534a419bf3e78d390a369456

SHA1
b9a16131a8d93f198de3d9ef84c9db0ca3abf61f

SHA256
6ce78da711617acecf3ff655d169e99ea24dc0138b8c99942bc6be59b6fd4b27

SHA512
af58f742fa80635f570bf6a2215a98c37cf7746c980d34ac2bb06981a9f19e34c50f05d084a0a56570dac534df9714efaf2343153cd4af5787d859f26514b7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9EC.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA94.tmp.ps1
MD5
2d86786e96b52c1c26021a641a344252

SHA1
8338d594b29d6a99c6d1bae7a393eada1355269f

SHA256
103f53e60b145abe168d48bbaf5ffabcb27697cfb324d8c1c9e57b0a30952a40

SHA512
5f44c67b85555b87eb9ef7d562e3172f7a9f2df1e1cac194532c5d8aeb9571b3339c78981e185cd65387567d54909526c5565027cc1cc6e86ffeac502888a444

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA95.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yonfuhhrwq.vbs
MD5
5b79507ae78371f47b96b762cb72de31

SHA1
2b3c96601a284e90f30d737e17904c1abb99d568

SHA256
94daa68b04ec7b88930110a55e7fc196655603dc3e534d8ae76f8eb4d49593eb

SHA512
4060c2d40c5df3ec1797f1b8f3ae5daf929e9825dd7a6e836acfce9bd590d29edc729de4e37b5b465721a5718e6faff338ca039f468a6ae44fc7f5fb63c9763c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
71f6eef553f42fe4300bcd44cbf2421c

SHA1
0d9374664dda468a53ca6cdb464b34f8ac0261c0

SHA256
cfb73c6d673b7c8a255e9a2ec879f5f8bca66ede143159df49ce9d317f11f1b1

SHA512
2446be40d4677e052c949ee7337fda4e65a8f0f8c840f75a5e7dbd93f01661f0b817615ac51f9f739b42d9da53433bc73b7598020b1c6eb5869c937278f51ab1

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
71f6eef553f42fe4300bcd44cbf2421c

SHA1
0d9374664dda468a53ca6cdb464b34f8ac0261c0

SHA256
cfb73c6d673b7c8a255e9a2ec879f5f8bca66ede143159df49ce9d317f11f1b1

SHA512
2446be40d4677e052c949ee7337fda4e65a8f0f8c840f75a5e7dbd93f01661f0b817615ac51f9f739b42d9da53433bc73b7598020b1c6eb5869c937278f51ab1

Download Submit
\Users\Admin\AppData\Local\Temp\DUNIJG~1.DLL
MD5
34948fee52e13a7235d67d37176987ed

SHA1
283b2cb2bd6eed9068adc8459168a6eb4bbad714

SHA256
bb63539cdda267a487fd442f0cf2bf7f1db1baa6c06803d9e813037911383e92

SHA512
a11850d87259a99e43cf010ec00c444c771441de1408e291cfc7e46bac4fc4c01a846246dc4bcc4bd8a0a0fc8c9e0d7129c9aad4440b1ca7496cefd744248a04

Download Submit
\Users\Admin\AppData\Local\Temp\DUNIJG~1.DLL
MD5
34948fee52e13a7235d67d37176987ed

SHA1
283b2cb2bd6eed9068adc8459168a6eb4bbad714

SHA256
bb63539cdda267a487fd442f0cf2bf7f1db1baa6c06803d9e813037911383e92

SHA512
a11850d87259a99e43cf010ec00c444c771441de1408e291cfc7e46bac4fc4c01a846246dc4bcc4bd8a0a0fc8c9e0d7129c9aad4440b1ca7496cefd744248a04

Download Submit
\Users\Admin\AppData\Local\Temp\DUNIJG~1.DLL
MD5
34948fee52e13a7235d67d37176987ed

SHA1
283b2cb2bd6eed9068adc8459168a6eb4bbad714

SHA256
bb63539cdda267a487fd442f0cf2bf7f1db1baa6c06803d9e813037911383e92

SHA512
a11850d87259a99e43cf010ec00c444c771441de1408e291cfc7e46bac4fc4c01a846246dc4bcc4bd8a0a0fc8c9e0d7129c9aad4440b1ca7496cefd744248a04

Download Submit
\Users\Admin\AppData\Local\Temp\nsl5606.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/196-90-0x0000000000000000-mapping.dmp

Download
memory/720-31-0x0000000000000000-mapping.dmp

Download
memory/1008-89-0x0000000000000000-mapping.dmp

Download
memory/1528-36-0x0000000000000000-mapping.dmp

Download
memory/2040-28-0x0000000000000000-mapping.dmp

Download
memory/2912-17-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/2912-16-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2912-9-0x0000000000000000-mapping.dmp

Download
memory/3020-3-0x0000000000000000-mapping.dmp

Download
memory/3020-14-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/3020-15-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3020-18-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/3536-25-0x0000000000000000-mapping.dmp

Download
memory/3536-30-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/3560-19-0x0000000000000000-mapping.dmp

Download
memory/3560-23-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/3560-22-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3748-12-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3748-13-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/3748-6-0x0000000000000000-mapping.dmp

Download
memory/4100-37-0x0000000000000000-mapping.dmp

Download
memory/4144-38-0x0000000000000000-mapping.dmp

Download
memory/4184-39-0x0000000000000000-mapping.dmp

Download
memory/4184-43-0x0000000004B70000-0x00000000051CF000-memory.dmp

Filesize
6.4MB

Download
memory/4328-49-0x0000000000000000-mapping.dmp

Download
memory/4328-51-0x0000000004FC0000-0x000000000561F000-memory.dmp

Filesize
6.4MB

Download
memory/4524-52-0x0000000000000000-mapping.dmp

Download
memory/4640-63-0x0000000008480000-0x0000000008481000-memory.dmp

Filesize
4KB

Download
memory/4640-62-0x00000000082F0000-0x00000000082F1000-memory.dmp

Filesize
4KB

Download
memory/4640-64-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/4640-56-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/4640-66-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/4640-67-0x0000000009EE0000-0x0000000009EE1000-memory.dmp

Filesize
4KB

Download
memory/4640-68-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/4640-69-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/4640-55-0x0000000070F50000-0x000000007163E000-memory.dmp

Filesize
6.9MB

Download
memory/4640-58-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/4640-54-0x0000000000000000-mapping.dmp

Download
memory/4640-59-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/4640-60-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

Filesize
4KB

Download
memory/4640-57-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/4640-61-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/4924-82-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/4924-79-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/4924-73-0x0000000070B00000-0x00000000711EE000-memory.dmp

Filesize
6.9MB

Download
memory/4924-71-0x0000000000000000-mapping.dmp

Download
memory/5096-87-0x0000000000000000-mapping.dmp

Download