arkei | 58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279

Analysis

max time kernel
151s
max time network
137s
platform
windows10_x64
resource
win10-en-20211014
submitted
04-12-2021 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
Size

251KB
MD5

e5614c05bfe99d23bc98d60034ca8c5a
SHA1

30e6d4b9cab1f3ed845ef0d424a83b7fceb30063
SHA256

58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279
SHA512

07e2af40f3ae7a8ce1b2b0bcc225d7d8f36a6cbd9cf3ea2125908801f930a6fdf4eb2881c899ac7a425d4779bbd2eab07d42032c060a265e1fb57186912ebf70

Score

10^/10

arkei raccoon redline smokeloader 8b6023dd139bdc34aab99c286fae23d1442b4956 b620be4c85b4051a92040003edbc322be4eb082d default backdoor collection discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

8b6023dd139bdc34aab99c286fae23d1442b4956

Attributes

url4cnc
http://91.219.236.27/h_electricryptors2
http://5.181.156.92/h_electricryptors2
http://91.219.236.207/h_electricryptors2
http://185.225.19.18/h_electricryptors2
http://91.219.237.227/h_electricryptors2
https://t.me/h_electricryptors2

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes

url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

arkei

Botnet

Default

http://153.92.210.92/lYWcN6H7B1.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/516-140-0x0000000000F50000-0x00000000010C5000-memory.dmp	family_redline
behavioral1/memory/1200-154-0x0000000000370000-0x00000000004D8000-memory.dmp	family_redline
behavioral1/memory/1908-178-0x00000000002A0000-0x00000000003B0000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3952 created 4112 3952 WerFault.exe D92C.exe
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

description	pid	process	target process
PID 3952 created 4112	3952	WerFault.exe	D92C.exe

Arkei Stealer Payload 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1712-260-0x0000000000F70000-0x000000000143A000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

5A22.exeB2E2.exeB573.exeBF28.exeB2E2.exeC7A5.exeCD34.exeB573.exeD92C.exe1A6C.exe

pid process

4568 5A22.exe
4456 B2E2.exe
2400 B573.exe
516 BF28.exe
808 B2E2.exe
1200 C7A5.exe
1908 CD34.exe
2272 B573.exe
4112 D92C.exe
1712 1A6C.exe

pid	process
4568	5A22.exe
4456	B2E2.exe
2400	B573.exe
516	BF28.exe
808	B2E2.exe
1200	C7A5.exe
1908	CD34.exe
2272	B573.exe
4112	D92C.exe
1712	1A6C.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1A6C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1A6C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1A6C.exe

Deletes itself 1 IoCs

Processes:

pid process

2672
Loads dropped DLL 3 IoCs

Processes:

1A6C.exe

pid process

1712 1A6C.exe
1712 1A6C.exe
1712 1A6C.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2672

pid	process
1712	1A6C.exe
1712	1A6C.exe
1712	1A6C.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

1A6C.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1A6C.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

C7A5.exe1A6C.exe

pid process

1200 C7A5.exe
1712 1A6C.exe
1712 1A6C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1A6C.exe

pid	process
1200	C7A5.exe
1712	1A6C.exe
1712	1A6C.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exeB2E2.exeB573.exe

description	pid	process	target process
PID 4160 set thread context of 4304	4160	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
PID 4456 set thread context of 808	4456	B2E2.exe	B2E2.exe
PID 2400 set thread context of 2272	2400	B573.exe	B573.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3952 4112 WerFault.exe D92C.exe

pid	pid_target	process	target process
3952	4112	WerFault.exe	D92C.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

B2E2.exe58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe5A22.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B2E2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5A22.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5A22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B2E2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5A22.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B2E2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1A6C.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1A6C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1A6C.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe

pid	process
4304	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
4304	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672
2672

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2672
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe5A22.exeB2E2.exe

pid process

4304 58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
4568 5A22.exe
808 B2E2.exe
2672
2672
2672
2672

pid	process
2672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

CD34.exeWerFault.exeC7A5.exeBF28.exe

description	pid	process
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeDebugPrivilege	1908	CD34.exe
Token: SeRestorePrivilege	3952	WerFault.exe
Token: SeBackupPrivilege	3952	WerFault.exe
Token: SeDebugPrivilege	1200	C7A5.exe
Token: SeDebugPrivilege	516	BF28.exe
Token: SeDebugPrivilege	3952	WerFault.exe
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672
Token: SeShutdownPrivilege	2672
Token: SeCreatePagefilePrivilege	2672

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exeB2E2.exeB573.exe

description	pid	process	target process
PID 4160 wrote to memory of 4304	4160	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
PID 4160 wrote to memory of 4304	4160	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
PID 4160 wrote to memory of 4304	4160	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
PID 4160 wrote to memory of 4304	4160	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
PID 4160 wrote to memory of 4304	4160	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
PID 4160 wrote to memory of 4304	4160	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe	58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
PID 2672 wrote to memory of 4568	2672		5A22.exe
PID 2672 wrote to memory of 4568	2672		5A22.exe
PID 2672 wrote to memory of 4568	2672		5A22.exe
PID 2672 wrote to memory of 4456	2672		B2E2.exe
PID 2672 wrote to memory of 4456	2672		B2E2.exe
PID 2672 wrote to memory of 4456	2672		B2E2.exe
PID 2672 wrote to memory of 2400	2672		B573.exe
PID 2672 wrote to memory of 2400	2672		B573.exe
PID 2672 wrote to memory of 2400	2672		B573.exe
PID 2672 wrote to memory of 516	2672		BF28.exe
PID 2672 wrote to memory of 516	2672		BF28.exe
PID 2672 wrote to memory of 516	2672		BF28.exe
PID 4456 wrote to memory of 808	4456	B2E2.exe	B2E2.exe
PID 4456 wrote to memory of 808	4456	B2E2.exe	B2E2.exe
PID 4456 wrote to memory of 808	4456	B2E2.exe	B2E2.exe
PID 4456 wrote to memory of 808	4456	B2E2.exe	B2E2.exe
PID 4456 wrote to memory of 808	4456	B2E2.exe	B2E2.exe
PID 4456 wrote to memory of 808	4456	B2E2.exe	B2E2.exe
PID 2672 wrote to memory of 1200	2672		C7A5.exe
PID 2672 wrote to memory of 1200	2672		C7A5.exe
PID 2672 wrote to memory of 1200	2672		C7A5.exe
PID 2672 wrote to memory of 1908	2672		CD34.exe
PID 2672 wrote to memory of 1908	2672		CD34.exe
PID 2672 wrote to memory of 1908	2672		CD34.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2400 wrote to memory of 2272	2400	B573.exe	B573.exe
PID 2672 wrote to memory of 4112	2672		D92C.exe
PID 2672 wrote to memory of 4112	2672		D92C.exe
PID 2672 wrote to memory of 4112	2672		D92C.exe
PID 2672 wrote to memory of 1712	2672		1A6C.exe
PID 2672 wrote to memory of 1712	2672		1A6C.exe
PID 2672 wrote to memory of 1712	2672		1A6C.exe
PID 2672 wrote to memory of 912	2672		explorer.exe
PID 2672 wrote to memory of 912	2672		explorer.exe
PID 2672 wrote to memory of 912	2672		explorer.exe
PID 2672 wrote to memory of 912	2672		explorer.exe
PID 2672 wrote to memory of 2108	2672		explorer.exe
PID 2672 wrote to memory of 2108	2672		explorer.exe
PID 2672 wrote to memory of 2108	2672		explorer.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
"C:\Users\Admin\AppData\Local\Temp\58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe
"C:\Users\Admin\AppData\Local\Temp\58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4304

C:\Users\Admin\AppData\Local\Temp\5A22.exe
C:\Users\Admin\AppData\Local\Temp\5A22.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4568

C:\Users\Admin\AppData\Local\Temp\B2E2.exe
C:\Users\Admin\AppData\Local\Temp\B2E2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\B2E2.exe
C:\Users\Admin\AppData\Local\Temp\B2E2.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:808

C:\Users\Admin\AppData\Local\Temp\B573.exe
C:\Users\Admin\AppData\Local\Temp\B573.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\B573.exe
C:\Users\Admin\AppData\Local\Temp\B573.exe
2⤵
- Executes dropped EXE
PID:2272

C:\Users\Admin\AppData\Local\Temp\BF28.exe
C:\Users\Admin\AppData\Local\Temp\BF28.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Users\Admin\AppData\Local\Temp\C7A5.exe
C:\Users\Admin\AppData\Local\Temp\C7A5.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Users\Admin\AppData\Local\Temp\CD34.exe
C:\Users\Admin\AppData\Local\Temp\CD34.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\D92C.exe
C:\Users\Admin\AppData\Local\Temp\D92C.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 876
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\1A6C.exe
C:\Users\Admin\AppData\Local\Temp\1A6C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:1712

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:912

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A6C.exe
MD5
1b207ddcd4c46699ff46c7fa7ed2de4b

SHA1
64fe034264b3aad0c5b803a4c0e6a9ff33659a9c

SHA256
11144b039458f096d493a47411c028996236b8a75ed4264558f3edeb22af88f5

SHA512
4e51c4ea346c7ee05d7f67472efa6bd24fdb412be305ab2205ce8ae9a9813c06c4577433ad6fad115eed23f027bda69536fea69d89862b023b7924597f2ddc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A6C.exe
MD5
1b207ddcd4c46699ff46c7fa7ed2de4b

SHA1
64fe034264b3aad0c5b803a4c0e6a9ff33659a9c

SHA256
11144b039458f096d493a47411c028996236b8a75ed4264558f3edeb22af88f5

SHA512
4e51c4ea346c7ee05d7f67472efa6bd24fdb412be305ab2205ce8ae9a9813c06c4577433ad6fad115eed23f027bda69536fea69d89862b023b7924597f2ddc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A22.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A22.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2E2.exe
MD5
e5614c05bfe99d23bc98d60034ca8c5a

SHA1
30e6d4b9cab1f3ed845ef0d424a83b7fceb30063

SHA256
58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279

SHA512
07e2af40f3ae7a8ce1b2b0bcc225d7d8f36a6cbd9cf3ea2125908801f930a6fdf4eb2881c899ac7a425d4779bbd2eab07d42032c060a265e1fb57186912ebf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2E2.exe
MD5
e5614c05bfe99d23bc98d60034ca8c5a

SHA1
30e6d4b9cab1f3ed845ef0d424a83b7fceb30063

SHA256
58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279

SHA512
07e2af40f3ae7a8ce1b2b0bcc225d7d8f36a6cbd9cf3ea2125908801f930a6fdf4eb2881c899ac7a425d4779bbd2eab07d42032c060a265e1fb57186912ebf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2E2.exe
MD5
e5614c05bfe99d23bc98d60034ca8c5a

SHA1
30e6d4b9cab1f3ed845ef0d424a83b7fceb30063

SHA256
58b953997b75226d71f5f3dae995dc943fb8a8028763eafe6093591f4b8e6279

SHA512
07e2af40f3ae7a8ce1b2b0bcc225d7d8f36a6cbd9cf3ea2125908801f930a6fdf4eb2881c899ac7a425d4779bbd2eab07d42032c060a265e1fb57186912ebf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\B573.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B573.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B573.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF28.exe
MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF28.exe
MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7A5.exe
MD5
4d96f213bfbba34ffba4986724d3a99c

SHA1
b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

SHA256
f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

SHA512
4e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7A5.exe
MD5
4d96f213bfbba34ffba4986724d3a99c

SHA1
b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

SHA256
f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

SHA512
4e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD34.exe
MD5
40f480638f2e8462929a662217a64c5b

SHA1
e72a9399e1ba8d61f26ba9a6e300e92d8bcd656e

SHA256
4602413ecd189f0a449f0ae14ba743d35a1b179bb6d2dc227dec2dd048611f60

SHA512
da9a5d796821f9fc648e2a8b0ccda133f1f276b2c55cc06b5cf158da805b1c6147348fc2e5f8177a96c78d9b178bb1321fd693dcf615f10584d2ae90a689c365

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD34.exe
MD5
40f480638f2e8462929a662217a64c5b

SHA1
e72a9399e1ba8d61f26ba9a6e300e92d8bcd656e

SHA256
4602413ecd189f0a449f0ae14ba743d35a1b179bb6d2dc227dec2dd048611f60

SHA512
da9a5d796821f9fc648e2a8b0ccda133f1f276b2c55cc06b5cf158da805b1c6147348fc2e5f8177a96c78d9b178bb1321fd693dcf615f10584d2ae90a689c365

Download Submit
C:\Users\Admin\AppData\Local\Temp\D92C.exe
MD5
43ce3ca5ad13336bdf29fe85afb96df7

SHA1
630879d33220cf2f51b0b5fe69ebc53b678982ec

SHA256
3129a7ea52a2719d1ae7f5f0a3f6e9c8288d32bf147186e345941561c89af372

SHA512
3e7a37972dda6517ec824b578b18082c06990dc2085ecb0fa90a177e69f13d4a2e123d6fc634f06604866b166741737b091b8ac7825338744bfe45e38e53af18

Download Submit
C:\Users\Admin\AppData\Local\Temp\D92C.exe
MD5
43ce3ca5ad13336bdf29fe85afb96df7

SHA1
630879d33220cf2f51b0b5fe69ebc53b678982ec

SHA256
3129a7ea52a2719d1ae7f5f0a3f6e9c8288d32bf147186e345941561c89af372

SHA512
3e7a37972dda6517ec824b578b18082c06990dc2085ecb0fa90a177e69f13d4a2e123d6fc634f06604866b166741737b091b8ac7825338744bfe45e38e53af18

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/516-149-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/516-155-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/516-196-0x000000006D360000-0x000000006D3AB000-memory.dmp

Filesize
300KB

Download
memory/516-140-0x0000000000F50000-0x00000000010C5000-memory.dmp

Filesize
1.5MB

Download
memory/516-141-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/516-142-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/516-143-0x0000000000C90000-0x0000000000CD3000-memory.dmp

Filesize
268KB

Download
memory/516-144-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/516-145-0x0000000076A10000-0x0000000076B01000-memory.dmp

Filesize
964KB

Download
memory/516-146-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/516-148-0x0000000071DA0000-0x0000000071E20000-memory.dmp

Filesize
512KB

Download
memory/516-133-0x0000000000000000-mapping.dmp

Download
memory/516-151-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/516-171-0x00000000742A0000-0x0000000074824000-memory.dmp

Filesize
5.5MB

Download
memory/516-167-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/516-176-0x00000000754F0000-0x0000000076838000-memory.dmp

Filesize
19.3MB

Download
memory/516-165-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/808-138-0x0000000000402F47-mapping.dmp

Download
memory/912-262-0x0000000003400000-0x000000000346B000-memory.dmp

Filesize
428KB

Download
memory/912-256-0x0000000000000000-mapping.dmp

Download
memory/912-261-0x0000000003470000-0x00000000034E4000-memory.dmp

Filesize
464KB

Download
memory/1200-159-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1200-172-0x00000000742A0000-0x0000000074824000-memory.dmp

Filesize
5.5MB

Download
memory/1200-163-0x00000000028A0000-0x00000000028E7000-memory.dmp

Filesize
284KB

Download
memory/1200-154-0x0000000000370000-0x00000000004D8000-memory.dmp

Filesize
1.4MB

Download
memory/1200-174-0x00000000754F0000-0x0000000076838000-memory.dmp

Filesize
19.3MB

Download
memory/1200-166-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1200-158-0x0000000076A10000-0x0000000076B01000-memory.dmp

Filesize
964KB

Download
memory/1200-161-0x0000000071DA0000-0x0000000071E20000-memory.dmp

Filesize
512KB

Download
memory/1200-150-0x0000000000000000-mapping.dmp

Download
memory/1200-157-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/1200-192-0x000000006D360000-0x000000006D3AB000-memory.dmp

Filesize
300KB

Download
memory/1200-156-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1200-181-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1200-190-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1200-210-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

Filesize
4KB

Download
memory/1712-248-0x0000000000F70000-0x000000000143A000-memory.dmp

Filesize
4.8MB

Download
memory/1712-241-0x0000000000000000-mapping.dmp

Download
memory/1712-260-0x0000000000F70000-0x000000000143A000-memory.dmp

Filesize
4.8MB

Download
memory/1712-254-0x00000000772A0000-0x000000007742E000-memory.dmp

Filesize
1.6MB

Download
memory/1712-253-0x0000000000F70000-0x000000000143A000-memory.dmp

Filesize
4.8MB

Download
memory/1712-246-0x0000000003490000-0x00000000034D5000-memory.dmp

Filesize
276KB

Download
memory/1712-252-0x0000000000F70000-0x000000000143A000-memory.dmp

Filesize
4.8MB

Download
memory/1712-250-0x0000000000F70000-0x000000000143A000-memory.dmp

Filesize
4.8MB

Download
memory/1908-184-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/1908-178-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-200-0x00000000742A0000-0x0000000074824000-memory.dmp

Filesize
5.5MB

Download
memory/1908-203-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1908-215-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/1908-202-0x00000000754F0000-0x0000000076838000-memory.dmp

Filesize
19.3MB

Download
memory/1908-187-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1908-189-0x0000000071DA0000-0x0000000071E20000-memory.dmp

Filesize
512KB

Download
memory/1908-208-0x000000006D360000-0x000000006D3AB000-memory.dmp

Filesize
300KB

Download
memory/1908-212-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1908-186-0x0000000002E00000-0x0000000002E43000-memory.dmp

Filesize
268KB

Download
memory/1908-185-0x0000000076A10000-0x0000000076B01000-memory.dmp

Filesize
964KB

Download
memory/1908-183-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/1908-216-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/1908-179-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1908-173-0x0000000000000000-mapping.dmp

Download
memory/1908-219-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/2108-259-0x0000000000000000-mapping.dmp

Download
memory/2108-263-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/2108-264-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2272-218-0x0000000004ED0000-0x0000000004F5F000-memory.dmp

Filesize
572KB

Download
memory/2272-195-0x0000000000456A80-mapping.dmp

Download
memory/2272-214-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/2272-213-0x000000000349C000-0x00000000034EB000-memory.dmp

Filesize
316KB

Download
memory/2272-209-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/2272-180-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/2272-223-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/2400-182-0x0000000000780000-0x000000000080F000-memory.dmp

Filesize
572KB

Download
memory/2400-170-0x00000000005C1000-0x0000000000627000-memory.dmp

Filesize
408KB

Download
memory/2400-130-0x0000000000000000-mapping.dmp

Download
memory/2672-119-0x0000000001270000-0x0000000001286000-memory.dmp

Filesize
88KB

Download
memory/2672-201-0x00000000057E0000-0x00000000057F6000-memory.dmp

Filesize
88KB

Download
memory/2672-126-0x0000000001540000-0x0000000001556000-memory.dmp

Filesize
88KB

Download
memory/4112-204-0x0000000000000000-mapping.dmp

Download
memory/4112-221-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/4112-220-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/4112-217-0x0000000000791000-0x00000000007E0000-memory.dmp

Filesize
316KB

Download
memory/4160-115-0x00000000006B9000-0x00000000006C2000-memory.dmp

Filesize
36KB

Download
memory/4160-116-0x0000000000530000-0x0000000000539000-memory.dmp

Filesize
36KB

Download
memory/4304-118-0x0000000000402F47-mapping.dmp

Download
memory/4304-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4456-134-0x0000000000679000-0x0000000000682000-memory.dmp

Filesize
36KB

Download
memory/4456-127-0x0000000000000000-mapping.dmp

Download
memory/4568-120-0x0000000000000000-mapping.dmp

Download
memory/4568-124-0x0000000002BD0000-0x0000000002BD9000-memory.dmp

Filesize
36KB

Download
memory/4568-123-0x0000000002BC0000-0x0000000002BC9000-memory.dmp

Filesize
36KB

Download
memory/4568-125-0x0000000000400000-0x0000000002B64000-memory.dmp

Filesize
39.4MB

Download