cryptbot | d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FB06EC887642C3C5C23FB43D9F81C93A.exe
Size

268KB
MD5

fb06ec887642c3c5c23fb43d9f81c93a
SHA1

9fe8ef2fab3c34bd98fade711b8256e0511a1097
SHA256

d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2
SHA512

7443dd4992cdfdfec37dac2deca8bc85539bede8e1de792b64b8a88d6c4d6c81301ce43dfc28bb8839d03881a9a948a7f5da616540db97442685a2ed391cc4dd

Score

10^/10

cryptbot fickerstealer redline mix 07.05 discovery infostealer spyware stealer

Malware Config

Extracted

Family

fickerstealer

truzen.site:80

Extracted

Family

cryptbot

eosbej52.top

morwxi05.top

Extracted

Family

redline

Botnet

MIX 07.05

xisolenoy.xyz:80

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/736-82-0x0000000000220000-0x0000000000301000-memory.dmp	family_cryptbot
behavioral1/memory/736-83-0x0000000000400000-0x00000000008AF000-memory.dmp	family_cryptbot

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1940-99-0x00000000022C0000-0x00000000022DE000-memory.dmp	family_redline
behavioral1/memory/1940-100-0x0000000002390000-0x00000000023AD000-memory.dmp	family_redline

fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

00076430329.exe00076430329.exe18695522343.exe16756878951.exeedspolishpp.exe

pid process

572 00076430329.exe
320 00076430329.exe
736 18695522343.exe
1612 16756878951.exe
1940 edspolishpp.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

824 cmd.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.exe00076430329.execmd.execmd.exe16756878951.exe

pid process

396 cmd.exe
396 cmd.exe
572 00076430329.exe
1028 cmd.exe
1028 cmd.exe
1576 cmd.exe
1612 16756878951.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

00076430329.exe

description pid process target process

PID 572 set thread context of 320 572 00076430329.exe 00076430329.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
572	00076430329.exe
320	00076430329.exe
736	18695522343.exe
1612	16756878951.exe
1940	edspolishpp.exe

pid	process
824	cmd.exe

pid	process
396	cmd.exe
396	cmd.exe
572	00076430329.exe
1028	cmd.exe
1028	cmd.exe
1576	cmd.exe
1612	16756878951.exe

flow	ioc
15	api.ipify.org

description	pid	process	target process
PID 572 set thread context of 320	572	00076430329.exe	00076430329.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00076430329.exe18695522343.exe16756878951.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	00076430329.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	00076430329.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18695522343.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18695522343.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	16756878951.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	16756878951.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

564 taskkill.exe

pid	process
564	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

16756878951.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	16756878951.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	16756878951.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	16756878951.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	16756878951.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

00076430329.exeedspolishpp.exe

pid process

320 00076430329.exe
1940 edspolishpp.exe
1940 edspolishpp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exeedspolishpp.exe

description pid process

Token: SeDebugPrivilege 564 taskkill.exe
Token: SeDebugPrivilege 1940 edspolishpp.exe

pid	process
320	00076430329.exe
1940	edspolishpp.exe
1940	edspolishpp.exe

description	pid	process
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1940	edspolishpp.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

FB06EC887642C3C5C23FB43D9F81C93A.execmd.exe00076430329.execmd.execmd.execmd.exe16756878951.exe

description	pid	process	target process
PID 788 wrote to memory of 396	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 396	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 396	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 396	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 396 wrote to memory of 572	396	cmd.exe	00076430329.exe
PID 396 wrote to memory of 572	396	cmd.exe	00076430329.exe
PID 396 wrote to memory of 572	396	cmd.exe	00076430329.exe
PID 396 wrote to memory of 572	396	cmd.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 572 wrote to memory of 320	572	00076430329.exe	00076430329.exe
PID 788 wrote to memory of 1028	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 1028	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 1028	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 1028	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 1028 wrote to memory of 736	1028	cmd.exe	18695522343.exe
PID 1028 wrote to memory of 736	1028	cmd.exe	18695522343.exe
PID 1028 wrote to memory of 736	1028	cmd.exe	18695522343.exe
PID 1028 wrote to memory of 736	1028	cmd.exe	18695522343.exe
PID 788 wrote to memory of 1576	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 1576	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 1576	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 1576	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 1576 wrote to memory of 1612	1576	cmd.exe	16756878951.exe
PID 1576 wrote to memory of 1612	1576	cmd.exe	16756878951.exe
PID 1576 wrote to memory of 1612	1576	cmd.exe	16756878951.exe
PID 1576 wrote to memory of 1612	1576	cmd.exe	16756878951.exe
PID 788 wrote to memory of 824	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 824	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 824	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 788 wrote to memory of 824	788	FB06EC887642C3C5C23FB43D9F81C93A.exe	cmd.exe
PID 824 wrote to memory of 564	824	cmd.exe	taskkill.exe
PID 824 wrote to memory of 564	824	cmd.exe	taskkill.exe
PID 824 wrote to memory of 564	824	cmd.exe	taskkill.exe
PID 824 wrote to memory of 564	824	cmd.exe	taskkill.exe
PID 1612 wrote to memory of 1940	1612	16756878951.exe	edspolishpp.exe
PID 1612 wrote to memory of 1940	1612	16756878951.exe	edspolishpp.exe
PID 1612 wrote to memory of 1940	1612	16756878951.exe	edspolishpp.exe
PID 1612 wrote to memory of 1940	1612	16756878951.exe	edspolishpp.exe

C:\Users\Admin\AppData\Local\Temp\FB06EC887642C3C5C23FB43D9F81C93A.exe
"C:\Users\Admin\AppData\Local\Temp\FB06EC887642C3C5C23FB43D9F81C93A.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe
"C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe
"C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\18695522343.exe" /mix
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\18695522343.exe
"C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\18695522343.exe" /mix
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\16756878951.exe" /mix
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\16756878951.exe
"C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\16756878951.exe" /mix
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
edspolishpp.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "FB06EC887642C3C5C23FB43D9F81C93A.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\FB06EC887642C3C5C23FB43D9F81C93A.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "FB06EC887642C3C5C23FB43D9F81C93A.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe
MD5
9c23419a5813bde49026b7ffbb315e86

SHA1
9664a1d851e6a076228056dc3632b60917e78294

SHA256
e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a

SHA512
c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023

Download Submit
C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe
MD5
9c23419a5813bde49026b7ffbb315e86

SHA1
9664a1d851e6a076228056dc3632b60917e78294

SHA256
e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a

SHA512
c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023

Download Submit
C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe
MD5
9c23419a5813bde49026b7ffbb315e86

SHA1
9664a1d851e6a076228056dc3632b60917e78294

SHA256
e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a

SHA512
c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023

Download Submit
C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\16756878951.exe
MD5
9479a5596e62700d1972206df64ad7dc

SHA1
ba45ab9b18908f8fbafb1d372dba4b819363c5a5

SHA256
8286090596289d3f8c6d26e9f048776c61737da6256b0b3e3fb72fa52ae2f9f3

SHA512
238ffefb496a688515638aa8fc7840d7c1252d61271c4a075b8c98b3628ff67473d03f37fdd091311c57ed8160a85bd4b5a5cf656d45ed2b0196cf7947c46ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\16756878951.exe
MD5
9479a5596e62700d1972206df64ad7dc

SHA1
ba45ab9b18908f8fbafb1d372dba4b819363c5a5

SHA256
8286090596289d3f8c6d26e9f048776c61737da6256b0b3e3fb72fa52ae2f9f3

SHA512
238ffefb496a688515638aa8fc7840d7c1252d61271c4a075b8c98b3628ff67473d03f37fdd091311c57ed8160a85bd4b5a5cf656d45ed2b0196cf7947c46ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\18695522343.exe
MD5
7cae3416822ec2fa1a83a32d64f8f62d

SHA1
64b02f9cd5ba4d407b470878abf6e20350eac4e1

SHA256
bae34b5431979a214eb8d112e79d305a8474eba7e46fb7470adc48f82010e5b7

SHA512
7e44467f071992b798b18cfc705eb4df89712b57af8f026dcc10a1d752f08d385f4e73a53546941b82343bcf50db5c53ffe72f6aa3927d0f110a826c9afa36e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\18695522343.exe
MD5
7cae3416822ec2fa1a83a32d64f8f62d

SHA1
64b02f9cd5ba4d407b470878abf6e20350eac4e1

SHA256
bae34b5431979a214eb8d112e79d305a8474eba7e46fb7470adc48f82010e5b7

SHA512
7e44467f071992b798b18cfc705eb4df89712b57af8f026dcc10a1d752f08d385f4e73a53546941b82343bcf50db5c53ffe72f6aa3927d0f110a826c9afa36e6

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
MD5
5f3b587b0213ba0bfadae562d34f51fb

SHA1
d2f879f6567c8d579f95f858185269d0f0879c63

SHA256
f218fead84ca8d1c5063f776759cc9627cf6baff25bce94641ce4057c800ae52

SHA512
a90368e0cf90bb2340de66ee29ab3aa686ca4362645dd336caa03123454d17a31b0bbabe117f443e655089ac2bd990204b8114964296fd351a6d86b8daf8e45d

Download Submit
\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe
MD5
9c23419a5813bde49026b7ffbb315e86

SHA1
9664a1d851e6a076228056dc3632b60917e78294

SHA256
e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a

SHA512
c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023

Download Submit
\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe
MD5
9c23419a5813bde49026b7ffbb315e86

SHA1
9664a1d851e6a076228056dc3632b60917e78294

SHA256
e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a

SHA512
c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023

Download Submit
\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\00076430329.exe
MD5
9c23419a5813bde49026b7ffbb315e86

SHA1
9664a1d851e6a076228056dc3632b60917e78294

SHA256
e9edd89f115b9d7fdd48092e43df7d58b74402b92ce7edadd049ea4b2b57aa1a

SHA512
c695ee6ebd929287a407d9a2a36dfa9061ec3470c65690608be461f0dc62939461cf3e6405de82cb2daad96192b88d4e4dc8cae00e467516d6d0ec0c5b0c1023

Download Submit
\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\16756878951.exe
MD5
9479a5596e62700d1972206df64ad7dc

SHA1
ba45ab9b18908f8fbafb1d372dba4b819363c5a5

SHA256
8286090596289d3f8c6d26e9f048776c61737da6256b0b3e3fb72fa52ae2f9f3

SHA512
238ffefb496a688515638aa8fc7840d7c1252d61271c4a075b8c98b3628ff67473d03f37fdd091311c57ed8160a85bd4b5a5cf656d45ed2b0196cf7947c46ce1

Download Submit
\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\18695522343.exe
MD5
7cae3416822ec2fa1a83a32d64f8f62d

SHA1
64b02f9cd5ba4d407b470878abf6e20350eac4e1

SHA256
bae34b5431979a214eb8d112e79d305a8474eba7e46fb7470adc48f82010e5b7

SHA512
7e44467f071992b798b18cfc705eb4df89712b57af8f026dcc10a1d752f08d385f4e73a53546941b82343bcf50db5c53ffe72f6aa3927d0f110a826c9afa36e6

Download Submit
\Users\Admin\AppData\Local\Temp\{PJBd-VIotN-FGCJ-sm21q}\18695522343.exe
MD5
7cae3416822ec2fa1a83a32d64f8f62d

SHA1
64b02f9cd5ba4d407b470878abf6e20350eac4e1

SHA256
bae34b5431979a214eb8d112e79d305a8474eba7e46fb7470adc48f82010e5b7

SHA512
7e44467f071992b798b18cfc705eb4df89712b57af8f026dcc10a1d752f08d385f4e73a53546941b82343bcf50db5c53ffe72f6aa3927d0f110a826c9afa36e6

Download Submit
\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
MD5
5f3b587b0213ba0bfadae562d34f51fb

SHA1
d2f879f6567c8d579f95f858185269d0f0879c63

SHA256
f218fead84ca8d1c5063f776759cc9627cf6baff25bce94641ce4057c800ae52

SHA512
a90368e0cf90bb2340de66ee29ab3aa686ca4362645dd336caa03123454d17a31b0bbabe117f443e655089ac2bd990204b8114964296fd351a6d86b8daf8e45d

Download Submit
memory/320-69-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/320-74-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/320-70-0x0000000000401480-mapping.dmp

Download
memory/396-62-0x0000000000000000-mapping.dmp

Download
memory/564-90-0x0000000000000000-mapping.dmp

Download
memory/572-66-0x0000000000000000-mapping.dmp

Download
memory/572-73-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/736-79-0x0000000000000000-mapping.dmp

Download
memory/736-82-0x0000000000220000-0x0000000000301000-memory.dmp

Filesize
900KB

Download
memory/736-83-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/788-60-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/788-61-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/788-59-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/824-89-0x0000000000000000-mapping.dmp

Download
memory/1028-75-0x0000000000000000-mapping.dmp

Download
memory/1576-84-0x0000000000000000-mapping.dmp

Download
memory/1612-92-0x0000000000920000-0x00000000009EE000-memory.dmp

Filesize
824KB

Download
memory/1612-93-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/1612-87-0x0000000000000000-mapping.dmp

Download
memory/1940-95-0x0000000000000000-mapping.dmp

Download
memory/1940-97-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/1940-98-0x0000000000400000-0x000000000085B000-memory.dmp

Filesize
4.4MB

Download
memory/1940-99-0x00000000022C0000-0x00000000022DE000-memory.dmp

Filesize
120KB

Download
memory/1940-100-0x0000000002390000-0x00000000023AD000-memory.dmp

Filesize
116KB

Download
memory/1940-103-0x0000000004D13000-0x0000000004D14000-memory.dmp

Filesize
4KB

Download
memory/1940-102-0x0000000004D12000-0x0000000004D13000-memory.dmp

Filesize
4KB

Download
memory/1940-101-0x0000000004D11000-0x0000000004D12000-memory.dmp

Filesize
4KB

Download
memory/1940-104-0x0000000004D14000-0x0000000004D16000-memory.dmp

Filesize
8KB

Download