fickerstealer | 19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980

Analysis

max time kernel
57s
max time network
189s
platform
windows7_x64
resource
win7v20210410
submitted
24-06-2021 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
Size

784KB
MD5

fcff182cb8fed42e720a19ed5b997e5a
SHA1

73f95a618c8659acf1ca63bdc9fdf24f72cb27be
SHA256

19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980
SHA512

b0d74845b3020a547347ef2a11a26a6512a50cf56da54d2fec602661bf7edfde33c09457e7a049c66b035a3b765dc48ddebfc9a89c0f43d572f9779c1be15404

Score

10^/10

fickerstealer redline poletela123 evasion infostealer themida trojan

Malware Config

Extracted

Family

fickerstealer

185.215.113.94:80

Extracted

Family

redline

Botnet

poletela123

ringweriar.xyz:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1840-101-0x0000000002300000-0x000000000231B000-memory.dmp	family_redline
behavioral1/memory/1840-106-0x0000000002380000-0x0000000002399000-memory.dmp	family_redline

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/2040-103-0x0000000002260000-0x00000000022BB000-memory.dmp	Core1

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

dN9zWynb7bcbQoBynlCR4qJR.exerGwqSejSkY63qYKRI3DP60NZ.exe9TvQqNnhm4dXz_q1pMjjHaR4.exepg_ed8t8Pd5kzJdN0kXYPnCM.exeymWccekYjuOGUJTIOd2_AUVy.exegCSwoNU0v4iIeM7fitoIVuAb.exe

pid	process
1840	dN9zWynb7bcbQoBynlCR4qJR.exe
928	rGwqSejSkY63qYKRI3DP60NZ.exe
1920	9TvQqNnhm4dXz_q1pMjjHaR4.exe
864	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
968	ymWccekYjuOGUJTIOd2_AUVy.exe
2040	gCSwoNU0v4iIeM7fitoIVuAb.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pg_ed8t8Pd5kzJdN0kXYPnCM.exeymWccekYjuOGUJTIOd2_AUVy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ymWccekYjuOGUJTIOd2_AUVy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ymWccekYjuOGUJTIOd2_AUVy.exe

Loads dropped DLL 9 IoCs

Processes:

19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe

pid	process
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\Documents\ymWccekYjuOGUJTIOd2_AUVy.exe	themida
C:\Users\Admin\Documents\ymWccekYjuOGUJTIOd2_AUVy.exe	themida
behavioral1/memory/968-96-0x0000000000180000-0x0000000000181000-memory.dmp	themida
C:\Users\Admin\Documents\ymWccekYjuOGUJTIOd2_AUVy.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

pg_ed8t8Pd5kzJdN0kXYPnCM.exeymWccekYjuOGUJTIOd2_AUVy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ymWccekYjuOGUJTIOd2_AUVy.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

pg_ed8t8Pd5kzJdN0kXYPnCM.exeymWccekYjuOGUJTIOd2_AUVy.exe

pid process

864 pg_ed8t8Pd5kzJdN0kXYPnCM.exe
968 ymWccekYjuOGUJTIOd2_AUVy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1032 864 WerFault.exe pg_ed8t8Pd5kzJdN0kXYPnCM.exe

pid	process
864	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
968	ymWccekYjuOGUJTIOd2_AUVy.exe

pid	pid_target	process	target process
1032	864	WerFault.exe	pg_ed8t8Pd5kzJdN0kXYPnCM.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe

description	pid	process	target process
PID 1304 wrote to memory of 1140	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	rrgf5Vg38yUFOos6gPVO01sE.exe
PID 1304 wrote to memory of 1140	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	rrgf5Vg38yUFOos6gPVO01sE.exe
PID 1304 wrote to memory of 1140	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	rrgf5Vg38yUFOos6gPVO01sE.exe
PID 1304 wrote to memory of 1140	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	rrgf5Vg38yUFOos6gPVO01sE.exe
PID 1304 wrote to memory of 1840	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	dN9zWynb7bcbQoBynlCR4qJR.exe
PID 1304 wrote to memory of 1840	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	dN9zWynb7bcbQoBynlCR4qJR.exe
PID 1304 wrote to memory of 1840	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	dN9zWynb7bcbQoBynlCR4qJR.exe
PID 1304 wrote to memory of 1840	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	dN9zWynb7bcbQoBynlCR4qJR.exe
PID 1304 wrote to memory of 928	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	rGwqSejSkY63qYKRI3DP60NZ.exe
PID 1304 wrote to memory of 928	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	rGwqSejSkY63qYKRI3DP60NZ.exe
PID 1304 wrote to memory of 928	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	rGwqSejSkY63qYKRI3DP60NZ.exe
PID 1304 wrote to memory of 928	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	rGwqSejSkY63qYKRI3DP60NZ.exe
PID 1304 wrote to memory of 1920	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	9TvQqNnhm4dXz_q1pMjjHaR4.exe
PID 1304 wrote to memory of 1920	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	9TvQqNnhm4dXz_q1pMjjHaR4.exe
PID 1304 wrote to memory of 1920	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	9TvQqNnhm4dXz_q1pMjjHaR4.exe
PID 1304 wrote to memory of 1920	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	9TvQqNnhm4dXz_q1pMjjHaR4.exe
PID 1304 wrote to memory of 864	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
PID 1304 wrote to memory of 864	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
PID 1304 wrote to memory of 864	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
PID 1304 wrote to memory of 864	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	pg_ed8t8Pd5kzJdN0kXYPnCM.exe
PID 1304 wrote to memory of 2040	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	gCSwoNU0v4iIeM7fitoIVuAb.exe
PID 1304 wrote to memory of 2040	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	gCSwoNU0v4iIeM7fitoIVuAb.exe
PID 1304 wrote to memory of 2040	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	gCSwoNU0v4iIeM7fitoIVuAb.exe
PID 1304 wrote to memory of 2040	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	gCSwoNU0v4iIeM7fitoIVuAb.exe
PID 1304 wrote to memory of 968	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	ymWccekYjuOGUJTIOd2_AUVy.exe
PID 1304 wrote to memory of 968	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	ymWccekYjuOGUJTIOd2_AUVy.exe
PID 1304 wrote to memory of 968	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	ymWccekYjuOGUJTIOd2_AUVy.exe
PID 1304 wrote to memory of 968	1304	19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe	ymWccekYjuOGUJTIOd2_AUVy.exe

C:\Users\Admin\AppData\Local\Temp\19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe
"C:\Users\Admin\AppData\Local\Temp\19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.bin.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\Documents\dN9zWynb7bcbQoBynlCR4qJR.exe
"C:\Users\Admin\Documents\dN9zWynb7bcbQoBynlCR4qJR.exe"
2⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\Documents\rrgf5Vg38yUFOos6gPVO01sE.exe
"C:\Users\Admin\Documents\rrgf5Vg38yUFOos6gPVO01sE.exe"
2⤵
PID:1140

C:\Users\Admin\Documents\rGwqSejSkY63qYKRI3DP60NZ.exe
"C:\Users\Admin\Documents\rGwqSejSkY63qYKRI3DP60NZ.exe"
2⤵
- Executes dropped EXE
PID:928

C:\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
"C:\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 900
3⤵
- Program crash
PID:1032

C:\Users\Admin\Documents\9TvQqNnhm4dXz_q1pMjjHaR4.exe
"C:\Users\Admin\Documents\9TvQqNnhm4dXz_q1pMjjHaR4.exe"
2⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\Documents\ymWccekYjuOGUJTIOd2_AUVy.exe
"C:\Users\Admin\Documents\ymWccekYjuOGUJTIOd2_AUVy.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:968

C:\Users\Admin\Documents\gCSwoNU0v4iIeM7fitoIVuAb.exe
"C:\Users\Admin\Documents\gCSwoNU0v4iIeM7fitoIVuAb.exe"
2⤵
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
308f78bb0ab8c18820ff084b82bb1c27

SHA1
2b10ad96e6c612426af29af9eb47298710e6d775

SHA256
32b4c1a23d3e3d639bc4a355995561b582fb9d8537e303a535309155f8e440d8

SHA512
04e4f118dd2410a7569275fcffada09cc3362e127536a89db3da3692ee8fd8f3b65482b3d93bc8e5c9d2292b1ce0d6ce8743d484242ceb5fe6220378a072f0ac

Download Submit
C:\Users\Admin\Documents\9TvQqNnhm4dXz_q1pMjjHaR4.exe
MD5
26ec22872e63ca904f54feefb25f5c9c

SHA1
61b3895757bb39e8b1fa59a708194e1baa4ad54e

SHA256
05075607946fe7bb8e7bf692ddf5c00f0a9dd1a23aa70a93c19e772093bad1eb

SHA512
28efe0d541a995bf156482da180d7f383b28affba53b28f4a661a94a190196030c6cc75cfa63357a3a39ab5549aabc30ac11d32acaca880f4832569a8794d9e1

Download Submit
C:\Users\Admin\Documents\9TvQqNnhm4dXz_q1pMjjHaR4.exe
MD5
26ec22872e63ca904f54feefb25f5c9c

SHA1
61b3895757bb39e8b1fa59a708194e1baa4ad54e

SHA256
05075607946fe7bb8e7bf692ddf5c00f0a9dd1a23aa70a93c19e772093bad1eb

SHA512
28efe0d541a995bf156482da180d7f383b28affba53b28f4a661a94a190196030c6cc75cfa63357a3a39ab5549aabc30ac11d32acaca880f4832569a8794d9e1

Download Submit
C:\Users\Admin\Documents\dN9zWynb7bcbQoBynlCR4qJR.exe
MD5
43dd23c802f0b3765ac64c155ff9b528

SHA1
313976b41bad883c94d7199bc91c24ddf5f6c398

SHA256
f01d974e0ce17ce7e72234ac8a5d5edde46d8b03bba6100f1f5b9aa783509e48

SHA512
6c2c040c8081c361ce3c9cdd074fc550f553d161f0c78f2935c49bcdde25f46aa59ce8ad630d2a4e6746a06d9c091cdc72dfdf413eec859dcb4e433c3ffb6ab7

Download Submit
C:\Users\Admin\Documents\gCSwoNU0v4iIeM7fitoIVuAb.exe
MD5
e1a3468d800af68ba750e7913fd12354

SHA1
e213b328410a19cf5d7709faedf20ab14423227d

SHA256
2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92

SHA512
14093db561bd134d3e75e2c136cafc16e7bd73113f7672a2d430e0cb3dae0e8b0a8f3d589f17cfa6c8f92f56207a8612fe7769c98d5c53aaceacfd9b7d2b9dde

Download Submit
C:\Users\Admin\Documents\gCSwoNU0v4iIeM7fitoIVuAb.exe
MD5
e1a3468d800af68ba750e7913fd12354

SHA1
e213b328410a19cf5d7709faedf20ab14423227d

SHA256
2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92

SHA512
14093db561bd134d3e75e2c136cafc16e7bd73113f7672a2d430e0cb3dae0e8b0a8f3d589f17cfa6c8f92f56207a8612fe7769c98d5c53aaceacfd9b7d2b9dde

Download Submit
C:\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
80c721fecef7fa6860445adfaeb57e97

SHA1
e11fe1a6fa0e4d67bb309b0c3a193715def8cad3

SHA256
d38cb3ca9ce9153542942b54563134f90522babede6afd56616b12212180f9a6

SHA512
6357fbd673431997720eb28a54d22d44014d73ae476dbf305812948c63f2d05c0f8b3e317bb949c99f5596b0873aada6b7acb5413d4118e9fe7f8e6183cfae5c

Download Submit
C:\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
2227ca39671406cd507ec7e59690a7e1

SHA1
2756b3fb151b7ae72a82fad63404efd519b03178

SHA256
5959c89738776f13c9ddb8eb1941b02dc96469eec64fdc7f6b06b81b1fb6ebad

SHA512
3ef1ae6b83a8556b7976b8f3bddbd088bd53e216ccd0c02bf0d7eb2c50b7b755ff9bb49e5272a33740553822a11e5da5574ab0d59c16d45f7f957d5e79dce1df

Download Submit
C:\Users\Admin\Documents\rGwqSejSkY63qYKRI3DP60NZ.exe
MD5
7d6641e15ab1437b03d2238f3f41bf4f

SHA1
ebd0022177f771e109e763801145fcfd1f777aac

SHA256
b256d0a34742f2b70f73b46b98f49c7ef488d3804e3b2d208e4bbb0820eeb43e

SHA512
53da022760520154c1c4ba774044673822d0294aa9048ea0e92833a57aa8e4e5a0c96d1e4c6aa2bdc35baa71837635658f87cee28f82a128610475f0cf08aa49

Download Submit
C:\Users\Admin\Documents\rGwqSejSkY63qYKRI3DP60NZ.exe
MD5
7d6641e15ab1437b03d2238f3f41bf4f

SHA1
ebd0022177f771e109e763801145fcfd1f777aac

SHA256
b256d0a34742f2b70f73b46b98f49c7ef488d3804e3b2d208e4bbb0820eeb43e

SHA512
53da022760520154c1c4ba774044673822d0294aa9048ea0e92833a57aa8e4e5a0c96d1e4c6aa2bdc35baa71837635658f87cee28f82a128610475f0cf08aa49

Download Submit
C:\Users\Admin\Documents\ymWccekYjuOGUJTIOd2_AUVy.exe
MD5
554eaa6486e6b1fcda9c0c98ee0a733d

SHA1
e041961cdfdf7499518540d0fa5af80e2f6fe2ff

SHA256
9f06c938bab24d08e2c11c05baf0efe81845e7d8c7265be76862ac7d1aa048a3

SHA512
d59ea07f77c1530efec0a965ac92319bbabf354539dacea1f8e4965aab98f7b14e2b10d3b66635b631f14e19df5f59d078bd8560f948de84d52dce0a931c5cda

Download Submit
C:\Users\Admin\Documents\ymWccekYjuOGUJTIOd2_AUVy.exe
MD5
554eaa6486e6b1fcda9c0c98ee0a733d

SHA1
e041961cdfdf7499518540d0fa5af80e2f6fe2ff

SHA256
9f06c938bab24d08e2c11c05baf0efe81845e7d8c7265be76862ac7d1aa048a3

SHA512
d59ea07f77c1530efec0a965ac92319bbabf354539dacea1f8e4965aab98f7b14e2b10d3b66635b631f14e19df5f59d078bd8560f948de84d52dce0a931c5cda

Download Submit
\Users\Admin\Documents\9TvQqNnhm4dXz_q1pMjjHaR4.exe
MD5
26ec22872e63ca904f54feefb25f5c9c

SHA1
61b3895757bb39e8b1fa59a708194e1baa4ad54e

SHA256
05075607946fe7bb8e7bf692ddf5c00f0a9dd1a23aa70a93c19e772093bad1eb

SHA512
28efe0d541a995bf156482da180d7f383b28affba53b28f4a661a94a190196030c6cc75cfa63357a3a39ab5549aabc30ac11d32acaca880f4832569a8794d9e1

Download Submit
\Users\Admin\Documents\9TvQqNnhm4dXz_q1pMjjHaR4.exe
MD5
26ec22872e63ca904f54feefb25f5c9c

SHA1
61b3895757bb39e8b1fa59a708194e1baa4ad54e

SHA256
05075607946fe7bb8e7bf692ddf5c00f0a9dd1a23aa70a93c19e772093bad1eb

SHA512
28efe0d541a995bf156482da180d7f383b28affba53b28f4a661a94a190196030c6cc75cfa63357a3a39ab5549aabc30ac11d32acaca880f4832569a8794d9e1

Download Submit
\Users\Admin\Documents\dN9zWynb7bcbQoBynlCR4qJR.exe
MD5
43dd23c802f0b3765ac64c155ff9b528

SHA1
313976b41bad883c94d7199bc91c24ddf5f6c398

SHA256
f01d974e0ce17ce7e72234ac8a5d5edde46d8b03bba6100f1f5b9aa783509e48

SHA512
6c2c040c8081c361ce3c9cdd074fc550f553d161f0c78f2935c49bcdde25f46aa59ce8ad630d2a4e6746a06d9c091cdc72dfdf413eec859dcb4e433c3ffb6ab7

Download Submit
\Users\Admin\Documents\dN9zWynb7bcbQoBynlCR4qJR.exe
MD5
43dd23c802f0b3765ac64c155ff9b528

SHA1
313976b41bad883c94d7199bc91c24ddf5f6c398

SHA256
f01d974e0ce17ce7e72234ac8a5d5edde46d8b03bba6100f1f5b9aa783509e48

SHA512
6c2c040c8081c361ce3c9cdd074fc550f553d161f0c78f2935c49bcdde25f46aa59ce8ad630d2a4e6746a06d9c091cdc72dfdf413eec859dcb4e433c3ffb6ab7

Download Submit
\Users\Admin\Documents\gCSwoNU0v4iIeM7fitoIVuAb.exe
MD5
e1a3468d800af68ba750e7913fd12354

SHA1
e213b328410a19cf5d7709faedf20ab14423227d

SHA256
2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92

SHA512
14093db561bd134d3e75e2c136cafc16e7bd73113f7672a2d430e0cb3dae0e8b0a8f3d589f17cfa6c8f92f56207a8612fe7769c98d5c53aaceacfd9b7d2b9dde

Download Submit
\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
2227ca39671406cd507ec7e59690a7e1

SHA1
2756b3fb151b7ae72a82fad63404efd519b03178

SHA256
5959c89738776f13c9ddb8eb1941b02dc96469eec64fdc7f6b06b81b1fb6ebad

SHA512
3ef1ae6b83a8556b7976b8f3bddbd088bd53e216ccd0c02bf0d7eb2c50b7b755ff9bb49e5272a33740553822a11e5da5574ab0d59c16d45f7f957d5e79dce1df

Download Submit
\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
2227ca39671406cd507ec7e59690a7e1

SHA1
2756b3fb151b7ae72a82fad63404efd519b03178

SHA256
5959c89738776f13c9ddb8eb1941b02dc96469eec64fdc7f6b06b81b1fb6ebad

SHA512
3ef1ae6b83a8556b7976b8f3bddbd088bd53e216ccd0c02bf0d7eb2c50b7b755ff9bb49e5272a33740553822a11e5da5574ab0d59c16d45f7f957d5e79dce1df

Download Submit
\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
2227ca39671406cd507ec7e59690a7e1

SHA1
2756b3fb151b7ae72a82fad63404efd519b03178

SHA256
5959c89738776f13c9ddb8eb1941b02dc96469eec64fdc7f6b06b81b1fb6ebad

SHA512
3ef1ae6b83a8556b7976b8f3bddbd088bd53e216ccd0c02bf0d7eb2c50b7b755ff9bb49e5272a33740553822a11e5da5574ab0d59c16d45f7f957d5e79dce1df

Download Submit
\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
2227ca39671406cd507ec7e59690a7e1

SHA1
2756b3fb151b7ae72a82fad63404efd519b03178

SHA256
5959c89738776f13c9ddb8eb1941b02dc96469eec64fdc7f6b06b81b1fb6ebad

SHA512
3ef1ae6b83a8556b7976b8f3bddbd088bd53e216ccd0c02bf0d7eb2c50b7b755ff9bb49e5272a33740553822a11e5da5574ab0d59c16d45f7f957d5e79dce1df

Download Submit
\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
2227ca39671406cd507ec7e59690a7e1

SHA1
2756b3fb151b7ae72a82fad63404efd519b03178

SHA256
5959c89738776f13c9ddb8eb1941b02dc96469eec64fdc7f6b06b81b1fb6ebad

SHA512
3ef1ae6b83a8556b7976b8f3bddbd088bd53e216ccd0c02bf0d7eb2c50b7b755ff9bb49e5272a33740553822a11e5da5574ab0d59c16d45f7f957d5e79dce1df

Download Submit
\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
2227ca39671406cd507ec7e59690a7e1

SHA1
2756b3fb151b7ae72a82fad63404efd519b03178

SHA256
5959c89738776f13c9ddb8eb1941b02dc96469eec64fdc7f6b06b81b1fb6ebad

SHA512
3ef1ae6b83a8556b7976b8f3bddbd088bd53e216ccd0c02bf0d7eb2c50b7b755ff9bb49e5272a33740553822a11e5da5574ab0d59c16d45f7f957d5e79dce1df

Download Submit
\Users\Admin\Documents\pg_ed8t8Pd5kzJdN0kXYPnCM.exe
MD5
2227ca39671406cd507ec7e59690a7e1

SHA1
2756b3fb151b7ae72a82fad63404efd519b03178

SHA256
5959c89738776f13c9ddb8eb1941b02dc96469eec64fdc7f6b06b81b1fb6ebad

SHA512
3ef1ae6b83a8556b7976b8f3bddbd088bd53e216ccd0c02bf0d7eb2c50b7b755ff9bb49e5272a33740553822a11e5da5574ab0d59c16d45f7f957d5e79dce1df

Download Submit
\Users\Admin\Documents\rGwqSejSkY63qYKRI3DP60NZ.exe
MD5
7d6641e15ab1437b03d2238f3f41bf4f

SHA1
ebd0022177f771e109e763801145fcfd1f777aac

SHA256
b256d0a34742f2b70f73b46b98f49c7ef488d3804e3b2d208e4bbb0820eeb43e

SHA512
53da022760520154c1c4ba774044673822d0294aa9048ea0e92833a57aa8e4e5a0c96d1e4c6aa2bdc35baa71837635658f87cee28f82a128610475f0cf08aa49

Download Submit
\Users\Admin\Documents\rrgf5Vg38yUFOos6gPVO01sE.exe
MD5
0351a9be892e71efe6c8c651df5d6a9c

SHA1
ba3e0dffa3df5cbd237acea8ca5325b4d1e1051e

SHA256
e7ab7a5eea1dee2f2fbcd86c363f5a86ec36bcd3677eca7428f0dc16a00d3616

SHA512
2a418103882e1bbb34d7e159a662f0ed8111b2ef42cf1ad9f6a83d23f031995df211df0be3ae9dc9d370c54a8f378b1f884ade2065b38d1523539df6459f2806

Download Submit
\Users\Admin\Documents\ymWccekYjuOGUJTIOd2_AUVy.exe
MD5
554eaa6486e6b1fcda9c0c98ee0a733d

SHA1
e041961cdfdf7499518540d0fa5af80e2f6fe2ff

SHA256
9f06c938bab24d08e2c11c05baf0efe81845e7d8c7265be76862ac7d1aa048a3

SHA512
d59ea07f77c1530efec0a965ac92319bbabf354539dacea1f8e4965aab98f7b14e2b10d3b66635b631f14e19df5f59d078bd8560f948de84d52dce0a931c5cda

Download Submit
memory/864-75-0x0000000000000000-mapping.dmp

Download
memory/928-91-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/928-68-0x0000000000000000-mapping.dmp

Download
memory/968-96-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/968-83-0x0000000000000000-mapping.dmp

Download
memory/1032-114-0x0000000000000000-mapping.dmp

Download
memory/1140-62-0x0000000000000000-mapping.dmp

Download
memory/1304-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1516-109-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1516-110-0x0000000000401480-mapping.dmp

Download
memory/1840-84-0x0000000000400000-0x0000000000908000-memory.dmp

Filesize
5.0MB

Download
memory/1840-106-0x0000000002380000-0x0000000002399000-memory.dmp

Filesize
100KB

Download
memory/1840-65-0x0000000000000000-mapping.dmp

Download
memory/1840-81-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1840-101-0x0000000002300000-0x000000000231B000-memory.dmp

Filesize
108KB

Download
memory/1920-99-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1920-73-0x0000000000000000-mapping.dmp

Download
memory/2040-104-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2040-102-0x000000001AEA0000-0x000000001AEA2000-memory.dmp

Filesize
8KB

Download
memory/2040-92-0x0000000000750000-0x00000000007C9000-memory.dmp

Filesize
484KB

Download
memory/2040-89-0x000000013F8E0000-0x000000013F8E1000-memory.dmp

Filesize
4KB

Download
memory/2040-80-0x0000000000000000-mapping.dmp

Download
memory/2040-103-0x0000000002260000-0x00000000022BB000-memory.dmp

Filesize
364KB

Download
memory/2040-107-0x00000000022C0000-0x0000000002303000-memory.dmp

Filesize
268KB

Download
memory/2040-105-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download