arkei | 6702aa89016e59e96f54642193ffcd79cf2327299aa4c3714114bc877ad9a589

Analysis

max time kernel
156s
max time network
166s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfe257194270a5d311e7de87a84c146a.exe
Size

147KB
MD5

bfe257194270a5d311e7de87a84c146a
SHA1

5889114337290c18cd15bfd99b8466f7d2e0693d
SHA256

6702aa89016e59e96f54642193ffcd79cf2327299aa4c3714114bc877ad9a589
SHA512

329a6ba22a976fd78590f07d855f325b7704a0d00f4e919b6afc1e4223ce2fdf9cffd5af2f925f6216d7cfd8b811bb406e93b973fff0eb8fde92111d955a6206

Score

10^/10

arkei redline smokeloader tofsee default agilenet backdoor discovery evasion infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

rc4.i32

Extracted

Family

tofsee

quadoil.ru

lakeflex.ru

Extracted

Family

redline

185.159.80.90:38655

Extracted

Family

arkei

Botnet

Default

http://file-file-host4.com/tratata.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/900-102-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/900-103-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/900-104-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/900-105-0x0000000000418EEE-mapping.dmp	family_redline
behavioral1/memory/900-107-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1952-120-0x0000000000240000-0x0000000000261000-memory.dmp	family_arkei
behavioral1/memory/1952-121-0x0000000000400000-0x0000000000437000-memory.dmp	family_arkei

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

F9BA.exeF9BA.exeFCE6.exeED.exe937.exebupbfuf.exeED.exe6147.exe6473.exe6BD3.exe

pid process

680 F9BA.exe
1808 F9BA.exe
1984 FCE6.exe
1356 ED.exe
1296 937.exe
1040 bupbfuf.exe
900 ED.exe
1952 6147.exe
576 6473.exe
1616 6BD3.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

1260
Loads dropped DLL 2 IoCs

Processes:

F9BA.exeED.exe

pid process

680 F9BA.exe
1356 ED.exe

pid	process
680	F9BA.exe
1808	F9BA.exe
1984	FCE6.exe
1356	ED.exe
1296	937.exe
1040	bupbfuf.exe
900	ED.exe
1952	6147.exe
576	6473.exe
1616	6BD3.exe

pid	process
1260

pid	process
680	F9BA.exe
1356	ED.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6BD3.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\6BD3.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

bfe257194270a5d311e7de87a84c146a.exeF9BA.exeED.exe

description	pid	process	target process
PID 956 set thread context of 456	956	bfe257194270a5d311e7de87a84c146a.exe	bfe257194270a5d311e7de87a84c146a.exe
PID 680 set thread context of 1808	680	F9BA.exe	F9BA.exe
PID 1356 set thread context of 900	1356	ED.exe	ED.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bfe257194270a5d311e7de87a84c146a.exeF9BA.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfe257194270a5d311e7de87a84c146a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F9BA.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F9BA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F9BA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfe257194270a5d311e7de87a84c146a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfe257194270a5d311e7de87a84c146a.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

netsh.exebupbfuf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	bupbfuf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	bupbfuf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bupbfuf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bfe257194270a5d311e7de87a84c146a.exe

pid	process
456	bfe257194270a5d311e7de87a84c146a.exe
456	bfe257194270a5d311e7de87a84c146a.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1260
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bfe257194270a5d311e7de87a84c146a.exeF9BA.exe

pid process

456 bfe257194270a5d311e7de87a84c146a.exe
1808 F9BA.exe

pid	process
1260

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ED.exe6BD3.exe

description	pid	process
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeDebugPrivilege	900	ED.exe
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeDebugPrivilege	1616	6BD3.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1260
1260
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1260
1260

pid	process
1260
1260

pid	process
1260
1260

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bfe257194270a5d311e7de87a84c146a.exeF9BA.exeFCE6.exeED.exe

description	pid	process	target process
PID 956 wrote to memory of 456	956	bfe257194270a5d311e7de87a84c146a.exe	bfe257194270a5d311e7de87a84c146a.exe
PID 956 wrote to memory of 456	956	bfe257194270a5d311e7de87a84c146a.exe	bfe257194270a5d311e7de87a84c146a.exe
PID 956 wrote to memory of 456	956	bfe257194270a5d311e7de87a84c146a.exe	bfe257194270a5d311e7de87a84c146a.exe
PID 956 wrote to memory of 456	956	bfe257194270a5d311e7de87a84c146a.exe	bfe257194270a5d311e7de87a84c146a.exe
PID 956 wrote to memory of 456	956	bfe257194270a5d311e7de87a84c146a.exe	bfe257194270a5d311e7de87a84c146a.exe
PID 956 wrote to memory of 456	956	bfe257194270a5d311e7de87a84c146a.exe	bfe257194270a5d311e7de87a84c146a.exe
PID 956 wrote to memory of 456	956	bfe257194270a5d311e7de87a84c146a.exe	bfe257194270a5d311e7de87a84c146a.exe
PID 1260 wrote to memory of 680	1260		F9BA.exe
PID 1260 wrote to memory of 680	1260		F9BA.exe
PID 1260 wrote to memory of 680	1260		F9BA.exe
PID 1260 wrote to memory of 680	1260		F9BA.exe
PID 680 wrote to memory of 1808	680	F9BA.exe	F9BA.exe
PID 680 wrote to memory of 1808	680	F9BA.exe	F9BA.exe
PID 680 wrote to memory of 1808	680	F9BA.exe	F9BA.exe
PID 680 wrote to memory of 1808	680	F9BA.exe	F9BA.exe
PID 680 wrote to memory of 1808	680	F9BA.exe	F9BA.exe
PID 680 wrote to memory of 1808	680	F9BA.exe	F9BA.exe
PID 680 wrote to memory of 1808	680	F9BA.exe	F9BA.exe
PID 1260 wrote to memory of 1984	1260		FCE6.exe
PID 1260 wrote to memory of 1984	1260		FCE6.exe
PID 1260 wrote to memory of 1984	1260		FCE6.exe
PID 1260 wrote to memory of 1984	1260		FCE6.exe
PID 1260 wrote to memory of 1356	1260		ED.exe
PID 1260 wrote to memory of 1356	1260		ED.exe
PID 1260 wrote to memory of 1356	1260		ED.exe
PID 1260 wrote to memory of 1356	1260		ED.exe
PID 1984 wrote to memory of 1004	1984	FCE6.exe	cmd.exe
PID 1984 wrote to memory of 1004	1984	FCE6.exe	cmd.exe
PID 1984 wrote to memory of 1004	1984	FCE6.exe	cmd.exe
PID 1984 wrote to memory of 1004	1984	FCE6.exe	cmd.exe
PID 1984 wrote to memory of 1872	1984	FCE6.exe	cmd.exe
PID 1984 wrote to memory of 1872	1984	FCE6.exe	cmd.exe
PID 1984 wrote to memory of 1872	1984	FCE6.exe	cmd.exe
PID 1984 wrote to memory of 1872	1984	FCE6.exe	cmd.exe
PID 1984 wrote to memory of 904	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 904	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 904	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 904	1984	FCE6.exe	sc.exe
PID 1260 wrote to memory of 1296	1260		937.exe
PID 1260 wrote to memory of 1296	1260		937.exe
PID 1260 wrote to memory of 1296	1260		937.exe
PID 1260 wrote to memory of 1296	1260		937.exe
PID 1984 wrote to memory of 1312	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 1312	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 1312	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 1312	1984	FCE6.exe	sc.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1984 wrote to memory of 1888	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 1888	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 1888	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 1888	1984	FCE6.exe	sc.exe
PID 1984 wrote to memory of 1696	1984	FCE6.exe	netsh.exe
PID 1984 wrote to memory of 1696	1984	FCE6.exe	netsh.exe
PID 1984 wrote to memory of 1696	1984	FCE6.exe	netsh.exe
PID 1984 wrote to memory of 1696	1984	FCE6.exe	netsh.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1356 wrote to memory of 900	1356	ED.exe	ED.exe
PID 1260 wrote to memory of 1952	1260		6147.exe

C:\Users\Admin\AppData\Local\Temp\bfe257194270a5d311e7de87a84c146a.exe
"C:\Users\Admin\AppData\Local\Temp\bfe257194270a5d311e7de87a84c146a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\bfe257194270a5d311e7de87a84c146a.exe
"C:\Users\Admin\AppData\Local\Temp\bfe257194270a5d311e7de87a84c146a.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:456

C:\Users\Admin\AppData\Local\Temp\F9BA.exe
C:\Users\Admin\AppData\Local\Temp\F9BA.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\F9BA.exe
C:\Users\Admin\AppData\Local\Temp\F9BA.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1808

C:\Users\Admin\AppData\Local\Temp\FCE6.exe
C:\Users\Admin\AppData\Local\Temp\FCE6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\scfjwwkh\
2⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bupbfuf.exe" C:\Windows\SysWOW64\scfjwwkh\
2⤵
PID:1872

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create scfjwwkh binPath= "C:\Windows\SysWOW64\scfjwwkh\bupbfuf.exe /d\"C:\Users\Admin\AppData\Local\Temp\FCE6.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:904

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description scfjwwkh "wifi internet conection"
2⤵
PID:1312

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start scfjwwkh
2⤵
PID:1888

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\ED.exe
C:\Users\Admin\AppData\Local\Temp\ED.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\ED.exe
C:\Users\Admin\AppData\Local\Temp\ED.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\937.exe
C:\Users\Admin\AppData\Local\Temp\937.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\scfjwwkh\bupbfuf.exe
C:\Windows\SysWOW64\scfjwwkh\bupbfuf.exe /d"C:\Users\Admin\AppData\Local\Temp\FCE6.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\owrosjoi\
2⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\tdivcxwl.exe" C:\Windows\SysWOW64\owrosjoi\
2⤵
PID:1676

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create owrosjoi binPath= "C:\Windows\SysWOW64\owrosjoi\tdivcxwl.exe /d\"C:\Windows\SysWOW64\scfjwwkh\bupbfuf.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1740

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description owrosjoi "wifi internet conection"
2⤵
PID:1624

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start owrosjoi
2⤵
PID:1452

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies data under HKEY_USERS
PID:1820

C:\Users\Admin\AppData\Local\Temp\6147.exe
C:\Users\Admin\AppData\Local\Temp\6147.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Users\Admin\AppData\Local\Temp\6473.exe
C:\Users\Admin\AppData\Local\Temp\6473.exe
1⤵
- Executes dropped EXE
PID:576

C:\Users\Admin\AppData\Local\Temp\6BD3.exe
C:\Users\Admin\AppData\Local\Temp\6BD3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Privilege Escalation

New Service

T1050

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6147.exe
MD5
23265c766d6cb7b9d9bdd463053e64ca

SHA1
a118d7c751a2dbe0db63d58be799ce14bb35f547

SHA256
0e4dc77310d35de5839f44f343d0f20175b3ad9be9899283cd2133a6592e4b71

SHA512
f35dc5dcb0a937328b066943f0f87c93140cab3632055a5eaa4c7fe9c3bbd4140e0b8bf15d3d79b544c70e69cb2a7807ef77b8e0a5faaffe6c243a32d250f474

Download Submit
C:\Users\Admin\AppData\Local\Temp\6473.exe
MD5
45c7d66ca1987d417e1858b7b353b758

SHA1
ed09b156cfd87ec42f620721a35bf27392bb8c1a

SHA256
2bd4ae02afd897b27640f8b3286928043845cefad1ca97ca7ed2b859b0e4b984

SHA512
43228a7f672b0c8ba0dbea43d15aae761efbb02dd24e2955f8350fd3db92334ff2c9a2d78857266ae92a45e7330b810d514084e2573a731f8e5dbb10edaebedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6473.exe
MD5
45c7d66ca1987d417e1858b7b353b758

SHA1
ed09b156cfd87ec42f620721a35bf27392bb8c1a

SHA256
2bd4ae02afd897b27640f8b3286928043845cefad1ca97ca7ed2b859b0e4b984

SHA512
43228a7f672b0c8ba0dbea43d15aae761efbb02dd24e2955f8350fd3db92334ff2c9a2d78857266ae92a45e7330b810d514084e2573a731f8e5dbb10edaebedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BD3.exe
MD5
ef77956dda8366a03f902e2a16eae8e0

SHA1
3b0054c39e77ede35f068ed61627dc35cbbebf7f

SHA256
c29eb683b88cf85203b643c69c5736b30747ca174698633b63ef051ae751564e

SHA512
8bc3779d00d6b1e8de07c8a1ebaab140c46909738bf656f41fe5e85fe6aebe76726ba1cb2356e5a95c3bab7a71a3a8da41e8f97c34c96788c21f8eda5be937ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BD3.exe
MD5
ef77956dda8366a03f902e2a16eae8e0

SHA1
3b0054c39e77ede35f068ed61627dc35cbbebf7f

SHA256
c29eb683b88cf85203b643c69c5736b30747ca174698633b63ef051ae751564e

SHA512
8bc3779d00d6b1e8de07c8a1ebaab140c46909738bf656f41fe5e85fe6aebe76726ba1cb2356e5a95c3bab7a71a3a8da41e8f97c34c96788c21f8eda5be937ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\937.exe
MD5
646cc8edbe849bf17c1694d936f7ae6b

SHA1
68b8e56cd63da79a8ace5c70f22cd0a6b3672497

SHA256
836e9de6ff5057a4964402ed5a9695e270a7db9e0d8b756a99203befa70fc4b7

SHA512
92df2e2fcfc8c0c2789222966f09b1c295e2b4d2f5d86a10d513dd05749507792d3df78b5f1d605517bba86cbc48c7ba6c9b54d8aba246a1b2cc0a75f626d9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED.exe
MD5
3c4c5a6892f8a80d51f8569f2890e22d

SHA1
96b9f631ea21ad54d1028c0d8957582d8c28eb6f

SHA256
5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

SHA512
56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED.exe
MD5
3c4c5a6892f8a80d51f8569f2890e22d

SHA1
96b9f631ea21ad54d1028c0d8957582d8c28eb6f

SHA256
5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

SHA512
56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED.exe
MD5
3c4c5a6892f8a80d51f8569f2890e22d

SHA1
96b9f631ea21ad54d1028c0d8957582d8c28eb6f

SHA256
5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

SHA512
56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9BA.exe
MD5
9cef7fd60a2c86dfad46948b68a3e607

SHA1
0020e4adce038822d9e2dc3ef1ce943ee827811e

SHA256
68e08a18772a04308624bd35c23aa98050e4baa1bc6e4d95c281571db747c5ab

SHA512
99a318b57c67093afe6d62f3a54ef223659d7e3069f1cc1f7969217e8b772f62de1f7afde0c4100d00c28b05203102a4d538522c94f4d2b3117ad1a06cd7b445

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9BA.exe
MD5
9cef7fd60a2c86dfad46948b68a3e607

SHA1
0020e4adce038822d9e2dc3ef1ce943ee827811e

SHA256
68e08a18772a04308624bd35c23aa98050e4baa1bc6e4d95c281571db747c5ab

SHA512
99a318b57c67093afe6d62f3a54ef223659d7e3069f1cc1f7969217e8b772f62de1f7afde0c4100d00c28b05203102a4d538522c94f4d2b3117ad1a06cd7b445

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9BA.exe
MD5
9cef7fd60a2c86dfad46948b68a3e607

SHA1
0020e4adce038822d9e2dc3ef1ce943ee827811e

SHA256
68e08a18772a04308624bd35c23aa98050e4baa1bc6e4d95c281571db747c5ab

SHA512
99a318b57c67093afe6d62f3a54ef223659d7e3069f1cc1f7969217e8b772f62de1f7afde0c4100d00c28b05203102a4d538522c94f4d2b3117ad1a06cd7b445

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCE6.exe
MD5
47795de4e14fbbef1fdddabb0e52abe9

SHA1
0e5223901ed607fc349d5f214a648fffa8716a32

SHA256
55eb41d042048d2832548c1b8e701fe01bf00c7c011e457e3df9ca7e262cef72

SHA512
a8e59a34bfeb51d78073d66943edb87ca2a5910c8dbd2b3cbc68c533b3a7c20c43142c1f19b881dabde7f05d0ef2924a25f0f12dfaaee1acb3e75d6cbd93085f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCE6.exe
MD5
47795de4e14fbbef1fdddabb0e52abe9

SHA1
0e5223901ed607fc349d5f214a648fffa8716a32

SHA256
55eb41d042048d2832548c1b8e701fe01bf00c7c011e457e3df9ca7e262cef72

SHA512
a8e59a34bfeb51d78073d66943edb87ca2a5910c8dbd2b3cbc68c533b3a7c20c43142c1f19b881dabde7f05d0ef2924a25f0f12dfaaee1acb3e75d6cbd93085f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bupbfuf.exe
MD5
3f863dcdbd9012e47639cc73d49bf366

SHA1
8b62c42f4aae2e44aec3b1e750fdb0c5f2b86d7f

SHA256
7ef41f0f952720d15620e364e66718971c2e6c929a86ff1cf8d6569aea736693

SHA512
71a79523313d0cbb6808437acbfeb7005bdc4458aceb325e8c8a4c049a5d104b8aa99d68da0dcb648cd5a0d8e0f410a42d9372f220be427e1d02d6f62d90e4ca

Download Submit
C:\Windows\SysWOW64\scfjwwkh\bupbfuf.exe
MD5
3f863dcdbd9012e47639cc73d49bf366

SHA1
8b62c42f4aae2e44aec3b1e750fdb0c5f2b86d7f

SHA256
7ef41f0f952720d15620e364e66718971c2e6c929a86ff1cf8d6569aea736693

SHA512
71a79523313d0cbb6808437acbfeb7005bdc4458aceb325e8c8a4c049a5d104b8aa99d68da0dcb648cd5a0d8e0f410a42d9372f220be427e1d02d6f62d90e4ca

Download Submit
\Users\Admin\AppData\Local\Temp\ED.exe
MD5
3c4c5a6892f8a80d51f8569f2890e22d

SHA1
96b9f631ea21ad54d1028c0d8957582d8c28eb6f

SHA256
5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

SHA512
56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

Download Submit
\Users\Admin\AppData\Local\Temp\F9BA.exe
MD5
9cef7fd60a2c86dfad46948b68a3e607

SHA1
0020e4adce038822d9e2dc3ef1ce943ee827811e

SHA256
68e08a18772a04308624bd35c23aa98050e4baa1bc6e4d95c281571db747c5ab

SHA512
99a318b57c67093afe6d62f3a54ef223659d7e3069f1cc1f7969217e8b772f62de1f7afde0c4100d00c28b05203102a4d538522c94f4d2b3117ad1a06cd7b445

Download Submit
memory/456-59-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/456-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/456-58-0x0000000000402DC6-mapping.dmp

Download
memory/576-117-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/576-114-0x0000000000000000-mapping.dmp

Download
memory/680-61-0x0000000000000000-mapping.dmp

Download
memory/680-68-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/900-105-0x0000000000418EEE-mapping.dmp

Download
memory/900-104-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/900-101-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/900-102-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/900-110-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/900-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/900-103-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/900-100-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/904-85-0x0000000000000000-mapping.dmp

Download
memory/956-56-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/956-55-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/1004-80-0x0000000000000000-mapping.dmp

Download
memory/1260-60-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/1260-98-0x00000000043B0000-0x00000000043C6000-memory.dmp

Filesize
88KB

Download
memory/1296-94-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1296-95-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1296-93-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1296-86-0x0000000000000000-mapping.dmp

Download
memory/1312-89-0x0000000000000000-mapping.dmp

Download
memory/1356-81-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1356-88-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1356-76-0x0000000000000000-mapping.dmp

Download
memory/1616-122-0x0000000000000000-mapping.dmp

Download
memory/1616-125-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/1696-97-0x0000000000000000-mapping.dmp

Download
memory/1808-66-0x0000000000402DC6-mapping.dmp

Download
memory/1872-83-0x0000000000000000-mapping.dmp

Download
memory/1888-92-0x0000000000000000-mapping.dmp

Download
memory/1952-120-0x0000000000240000-0x0000000000261000-memory.dmp

Filesize
132KB

Download
memory/1952-119-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1952-121-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1952-111-0x0000000000000000-mapping.dmp

Download
memory/1984-70-0x0000000000000000-mapping.dmp

Download
memory/1984-74-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1984-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1984-75-0x0000000000240000-0x0000000000253000-memory.dmp

Filesize
76KB

Download