Analysis
-
max time kernel
60s -
max time network
160s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-08-2021 06:06
General
-
Target
af01213c_ApfpjrvTmZ.exe
-
Size
5.7MB
-
MD5
af01213c6e231fc59e9518f831a30d36
-
SHA1
d05ca19f8f8d2f72e62b4a6726cf041e7ec86f5e
-
SHA256
6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740
-
SHA512
acb6c709dd723ec826b83dac2a6309b607f3c77e3074bf9d0617c6565f7e12a13272bd3495e3311126e1a009ba292bcdc2f79589cf8869a4b95759367846876f
Score
10/10
Malware Config
Extracted
Family
vidar
Version
40
Botnet
706
C2
https://lenak513.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
redline
Botnet
7new
C2
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
40
Botnet
916
C2
https://lenak513.tumblr.com/
Attributes
-
profile_id
916
Extracted
Family
vidar
Version
40
Botnet
937
C2
https://lenak513.tumblr.com/
Attributes
-
profile_id
937
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M1
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 6 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 33 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 24 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 3 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 54 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af01213c_ApfpjrvTmZ.exe"C:\Users\Admin\AppData\Local\Temp\af01213c_ApfpjrvTmZ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 824f4766e821701.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\824f4766e821701.exe824f4766e821701.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 41e718b8b1c32.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\41e718b8b1c32.exe41e718b8b1c32.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 9046⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c APPNAME44.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2424320fd3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\2424320fd3.exe2424320fd3.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c aea4d300485.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\aea4d300485.exeaea4d300485.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\6380851.exe"C:\Users\Admin\AppData\Roaming\6380851.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\4235095.exe"C:\Users\Admin\AppData\Roaming\4235095.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\2254907.exe"C:\Users\Admin\AppData\Roaming\2254907.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\2088712.exe"C:\Users\Admin\AppData\Roaming\2088712.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 689f2a8e13ce6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\689f2a8e13ce6.exe689f2a8e13ce6.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\zvlTDcs1ELqd7ZO2uLxqNwHQ.exe"C:\Users\Admin\Documents\zvlTDcs1ELqd7ZO2uLxqNwHQ.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\e0ihbBB0D0vRn10vv9DUZhha.exe"C:\Users\Admin\Documents\e0ihbBB0D0vRn10vv9DUZhha.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 7647⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 7847⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 8247⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 9567⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 9847⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 10087⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\X1JNUay38uH2F88zqWgf5nCw.exe"C:\Users\Admin\Documents\X1JNUay38uH2F88zqWgf5nCw.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\X1JNUay38uH2F88zqWgf5nCw.exeC:\Users\Admin\Documents\X1JNUay38uH2F88zqWgf5nCw.exe7⤵
-
-
-
C:\Users\Admin\Documents\2M7qZQHcn4FbYXswYEb5BN7n.exe"C:\Users\Admin\Documents\2M7qZQHcn4FbYXswYEb5BN7n.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\2M7qZQHcn4FbYXswYEb5BN7n.exeC:\Users\Admin\Documents\2M7qZQHcn4FbYXswYEb5BN7n.exe7⤵
-
-
-
C:\Users\Admin\Documents\rp0JROQnxAD2N2gZbd3rt7Ch.exe"C:\Users\Admin\Documents\rp0JROQnxAD2N2gZbd3rt7Ch.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\899E_x0UoLJL1IQFGcpvgq8z.exe"C:\Users\Admin\Documents\899E_x0UoLJL1IQFGcpvgq8z.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\otSeAujKe0d3PUFVyEQ67Svi.exe"C:\Users\Admin\Documents\otSeAujKe0d3PUFVyEQ67Svi.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\tSyNVOD5RNxqtntkjuhwRMPB.exe"C:\Users\Admin\Documents\tSyNVOD5RNxqtntkjuhwRMPB.exe"6⤵
-
-
C:\Users\Admin\Documents\p3wBrwKVybupJxLBfu3fq2Sk.exe"C:\Users\Admin\Documents\p3wBrwKVybupJxLBfu3fq2Sk.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
-
-
C:\Users\Admin\Documents\_lWcSsPiORQV69di2ZZOiKUb.exe"C:\Users\Admin\Documents\_lWcSsPiORQV69di2ZZOiKUb.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im _lWcSsPiORQV69di2ZZOiKUb.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\_lWcSsPiORQV69di2ZZOiKUb.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im _lWcSsPiORQV69di2ZZOiKUb.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Documents\kl6Bz7oCedVxzKAMfter1m6v.exe"C:\Users\Admin\Documents\kl6Bz7oCedVxzKAMfter1m6v.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 6607⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 6727⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 7207⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 8127⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 8887⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 11647⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 11287⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "kl6Bz7oCedVxzKAMfter1m6v.exe" /f & erase "C:\Users\Admin\Documents\kl6Bz7oCedVxzKAMfter1m6v.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "kl6Bz7oCedVxzKAMfter1m6v.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\2PkqoHNdRb9oBGz3Xf4xVThV.exe"C:\Users\Admin\Documents\2PkqoHNdRb9oBGz3Xf4xVThV.exe"6⤵
-
C:\Users\Admin\Documents\2PkqoHNdRb9oBGz3Xf4xVThV.exe"C:\Users\Admin\Documents\2PkqoHNdRb9oBGz3Xf4xVThV.exe"7⤵
-
-
-
C:\Users\Admin\Documents\pdVcZK0wQKmnjfZNvABKrRKl.exe"C:\Users\Admin\Documents\pdVcZK0wQKmnjfZNvABKrRKl.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
-
C:\Users\Admin\Documents\IQmkSE2AVEeB0Ufib1B1Bi3p.exe"C:\Users\Admin\Documents\IQmkSE2AVEeB0Ufib1B1Bi3p.exe"6⤵
-
-
C:\Users\Admin\Documents\g322VpG3iWwDa6kRIPEBIVzR.exe"C:\Users\Admin\Documents\g322VpG3iWwDa6kRIPEBIVzR.exe"6⤵
-
C:\Users\Admin\Documents\g322VpG3iWwDa6kRIPEBIVzR.exe"C:\Users\Admin\Documents\g322VpG3iWwDa6kRIPEBIVzR.exe"7⤵
-
-
-
C:\Users\Admin\Documents\d_Js96T8GDFS7qB4siOBdVIY.exe"C:\Users\Admin\Documents\d_Js96T8GDFS7qB4siOBdVIY.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3924328.exe"C:\Users\Admin\AppData\Roaming\3924328.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\4683754.exe"C:\Users\Admin\AppData\Roaming\4683754.exe"7⤵
-
-
-
C:\Users\Admin\Documents\Ncpfvp0flMfn4nfGE9l8U34x.exe"C:\Users\Admin\Documents\Ncpfvp0flMfn4nfGE9l8U34x.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3618981.exe"C:\Users\Admin\AppData\Roaming\3618981.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\5521174.exe"C:\Users\Admin\AppData\Roaming\5521174.exe"7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 228d434d1f139.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\228d434d1f139.exe228d434d1f139.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\228d434d1f139.exe"C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\228d434d1f139.exe" -a6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bee7625d7f3708.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\bee7625d7f3708.exebee7625d7f3708.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe"C:\Users\Admin\AppData\Local\Temp\askinstall54.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe9⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe"C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4776 -s 15288⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe"C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6707195.exe"C:\Users\Admin\AppData\Roaming\6707195.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\8469609.exe"C:\Users\Admin\AppData\Roaming\8469609.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\7326841.exe"C:\Users\Admin\AppData\Roaming\7326841.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\4482817.exe"C:\Users\Admin\AppData\Roaming\4482817.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 8008⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 8768⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 8848⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 9608⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 9128⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 11368⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 12128⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 11368⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 7529e76a5fb92d7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08C353A4\7529e76a5fb92d7.exe7529e76a5fb92d7.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 6243⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\997D.exeC:\Users\Admin\AppData\Local\Temp\997D.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\997D.exeC:\Users\Admin\AppData\Local\Temp\997D.exe2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\fc1e554a-643d-4f6f-b96d-fc4020415318" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
-
C:\Users\Admin\AppData\Local\Temp\A739.exeC:\Users\Admin\AppData\Local\Temp\A739.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
40.8MB
-
Filesize
628KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
5.4MB
-
Filesize
464KB
-
Filesize
308KB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
47.0MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
860KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
40.4MB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
40.4MB
-
Filesize
9.1MB
-
Filesize
9.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
5.1MB
-
Filesize
188KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
40.7MB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
444KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
116KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
380KB
-
Filesize
1.0MB