glupteba | b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

Target

EB7233922891E1DAD0434FBD52623647.exe
Size

7.9MB
MD5

eb7233922891e1dad0434fbd52623647
SHA1

331126b108532ab9a1e932141bff55a38656bce9
SHA256

b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
SHA512

597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

Score

10^/10

glupteba metasploit backdoor dropper evasion loader persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

resource	yara_rule
behavioral1/memory/668-220-0x00000000014C0000-0x0000000001DE6000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4972	rUNdlL32.eXe	18

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1260 created 868	1260	WerFault.exe	91
PID 4836 created 668	4836	WerFault.exe	89
PID 4536 created 3364	4536	WerFault.exe	120

evasion 2 IoCs

evasion.

evasion

resource	yara_rule
behavioral1/memory/668-220-0x00000000014C0000-0x0000000001DE6000-memory.dmp	evasion
behavioral1/memory/1544-261-0x0000000000400000-0x0000000000759000-memory.dmp	evasion

Executes dropped EXE 8 IoCs

pid	Process
5080	KRSetp.exe
2428	Folder.exe
3864	Folder.exe
668	Info.exe
1268	Installation.exe
1544	md9_1sjm.exe
3364	pub2.exe
3628	mysetold.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000200000002b18c-259.dat	vmprotect
behavioral1/files/0x000200000002b18c-260.dat	vmprotect
behavioral1/memory/1544-261-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

pid	Process
868	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000100000002b191-336.dat	autoit_exe
behavioral1/files/0x000100000002b191-337.dat	autoit_exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1492	868	WerFault.exe	91
1376	668	WerFault.exe	89
4148	3364	WerFault.exe	120

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1492	WerFault.exe
1492	WerFault.exe
1928	msedge.exe
1928	msedge.exe
4744	msedge.exe
4744	msedge.exe
1376	WerFault.exe
1376	WerFault.exe
3392	identity_helper.exe
3392	identity_helper.exe
4148	WerFault.exe
4148	WerFault.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	KRSetp.exe
Token: SeRestorePrivilege	1492	WerFault.exe
Token: SeBackupPrivilege	1492	WerFault.exe
Token: SeBackupPrivilege	1492	WerFault.exe
Token: SeTcbPrivilege	864	svchost.exe
Token: SeTcbPrivilege	864	svchost.exe
Token: SeTcbPrivilege	864	svchost.exe
Token: SeTcbPrivilege	864	svchost.exe
Token: SeTcbPrivilege	864	svchost.exe
Token: SeTcbPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	1544	md9_1sjm.exe
Token: SeManageVolumePrivilege	1544	md9_1sjm.exe
Token: SeManageVolumePrivilege	1544	md9_1sjm.exe
Token: SeManageVolumePrivilege	1544	md9_1sjm.exe
Token: SeManageVolumePrivilege	1544	md9_1sjm.exe
Token: SeSystemtimePrivilege	1040	svchost.exe
Token: SeSystemtimePrivilege	1040	svchost.exe
Token: SeIncBasePriorityPrivilege	1040	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4744	msedge.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe
3628	mysetold.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1268	Installation.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 5080	4908	EB7233922891E1DAD0434FBD52623647.exe	77
PID 4908 wrote to memory of 5080	4908	EB7233922891E1DAD0434FBD52623647.exe	77
PID 4908 wrote to memory of 4744	4908	EB7233922891E1DAD0434FBD52623647.exe	83
PID 4908 wrote to memory of 4744	4908	EB7233922891E1DAD0434FBD52623647.exe	83
PID 4908 wrote to memory of 2428	4908	EB7233922891E1DAD0434FBD52623647.exe	84
PID 4908 wrote to memory of 2428	4908	EB7233922891E1DAD0434FBD52623647.exe	84
PID 4908 wrote to memory of 2428	4908	EB7233922891E1DAD0434FBD52623647.exe	84
PID 4744 wrote to memory of 4928	4744	msedge.exe	86
PID 4744 wrote to memory of 4928	4744	msedge.exe	86
PID 2428 wrote to memory of 3864	2428	Folder.exe	87
PID 2428 wrote to memory of 3864	2428	Folder.exe	87
PID 2428 wrote to memory of 3864	2428	Folder.exe	87
PID 4908 wrote to memory of 668	4908	EB7233922891E1DAD0434FBD52623647.exe	89
PID 4908 wrote to memory of 668	4908	EB7233922891E1DAD0434FBD52623647.exe	89
PID 4908 wrote to memory of 668	4908	EB7233922891E1DAD0434FBD52623647.exe	89
PID 3196 wrote to memory of 868	3196	rUNdlL32.eXe	91
PID 3196 wrote to memory of 868	3196	rUNdlL32.eXe	91
PID 3196 wrote to memory of 868	3196	rUNdlL32.eXe	91
PID 1260 wrote to memory of 868	1260	WerFault.exe	91
PID 1260 wrote to memory of 868	1260	WerFault.exe	91
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1748	4744	msedge.exe	95
PID 4744 wrote to memory of 1928	4744	msedge.exe	96
PID 4744 wrote to memory of 1928	4744	msedge.exe	96
PID 4744 wrote to memory of 2188	4744	msedge.exe	97
PID 4744 wrote to memory of 2188	4744	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe
"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw7
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a64718
    3⤵
    PID:4928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:1748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
    3⤵
    PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
    3⤵
    PID:824
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:8
    3⤵
    PID:916
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
    3⤵
    PID:4104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
    3⤵
    PID:1260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12560159820918800579,12355020321292911196,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3944 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1376
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a
    3⤵
    - Executes dropped EXE
    PID:3864
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
  2⤵
  - Executes dropped EXE
  PID:668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 240
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1376
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub2.exe"
  2⤵
  - Executes dropped EXE
  PID:3364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 240
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4148
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3628

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 8PFJ7Xr/RkiQhw851r/usQ.0.2
1⤵
PID:4720

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 448
    3⤵
    - Drops file in Windows directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 868 -ip 868
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 668 -ip 668
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3364 -ip 3364
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-220-0x00000000014C0000-0x0000000001DE6000-memory.dmp

Filesize
9.1MB

Download
memory/1544-279-0x0000000003820000-0x00000000038A0000-memory.dmp

Filesize
512KB

Download
memory/1544-261-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/1544-278-0x00000000044B0000-0x00000000044B8000-memory.dmp

Filesize
32KB

Download
memory/1544-287-0x00000000039E0000-0x0000000003A60000-memory.dmp

Filesize
512KB

Download
memory/1748-179-0x00007FFFEAD80000-0x00007FFFEAD81000-memory.dmp

Filesize
4KB

Download
memory/2112-256-0x00000202C9B00000-0x00000202C9B10000-memory.dmp

Filesize
64KB

Download
memory/2112-255-0x00000202C9A80000-0x00000202C9A90000-memory.dmp

Filesize
64KB

Download
memory/2112-257-0x00000202CC100000-0x00000202CC104000-memory.dmp

Filesize
16KB

Download
memory/3364-334-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

Filesize
36KB

Download
memory/5080-156-0x0000000001240000-0x00000000012FD000-memory.dmp

Filesize
756KB

Download
memory/5080-155-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/5080-154-0x0000000001290000-0x00000000012AC000-memory.dmp

Filesize
112KB

Download
memory/5080-153-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/5080-151-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download