arkei | 7fff90f007947b0a96b3c8a987442108b6a7f8f276a864b453360496df827c96

Analysis

max time kernel
154s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
18-01-2022 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4192d70e24462758cfe66a4930136e3.exe
Size

293KB
MD5

b4192d70e24462758cfe66a4930136e3
SHA1

1f8d22bd775668a2a27c7bb655c8a907924d30db
SHA256

7fff90f007947b0a96b3c8a987442108b6a7f8f276a864b453360496df827c96
SHA512

730f1798782a751e331eb6aae63911303ab3af9be7806292c456ff31ab3388149348a38a214be950cb935ea28e9a417f831cf87ccb585a8ec8676fb1ff974dda

Score

10^/10

arkei raccoon smokeloader 470193d69fd872b73819c5e70dc68242c10ccbce default backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.5

Botnet

470193d69fd872b73819c5e70dc68242c10ccbce

Attributes

url4cnc
http://185.163.204.22/capibar
http://178.62.113.205/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

arkei

Botnet

Default

http://file-file-host4.com/tratata.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1580 created 1320	1580	WerFault.exe	315A.exe
PID 3476 created 2488	3476	WerFault.exe	98A2.exe
PID 3252 created 3080	3252	WerFault.exe	A073.exe
PID 3304 created 3080	3304	WerFault.exe	A073.exe
PID 2088 created 3192	2088	WerFault.exe	B12E.exe

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3192-182-0x00000000001E0000-0x00000000001FC000-memory.dmp	family_arkei
behavioral2/memory/3192-183-0x0000000000400000-0x000000000045B000-memory.dmp	family_arkei

Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

2C77.exe315A.exe2C77.exe315A.exe93EE.exe98A2.exeA073.exeAA28.exeB12E.exe

pid process

984 2C77.exe
3964 315A.exe
636 2C77.exe
1320 315A.exe
1920 93EE.exe
2488 98A2.exe
3080 A073.exe
2952 AA28.exe
3192 B12E.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

B12E.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation B12E.exe
Loads dropped DLL 3 IoCs

Processes:

B12E.exe

pid process

3192 B12E.exe
3192 B12E.exe
3192 B12E.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

AA28.exe

pid process

2952 AA28.exe

pid	process
984	2C77.exe
3964	315A.exe
636	2C77.exe
1320	315A.exe
1920	93EE.exe
2488	98A2.exe
3080	A073.exe
2952	AA28.exe
3192	B12E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	B12E.exe

pid	process
3192	B12E.exe
3192	B12E.exe
3192	B12E.exe

pid	process
2952	AA28.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b4192d70e24462758cfe66a4930136e3.exe2C77.exe315A.exe

description	pid	process	target process
PID 1692 set thread context of 2948	1692	b4192d70e24462758cfe66a4930136e3.exe	b4192d70e24462758cfe66a4930136e3.exe
PID 984 set thread context of 636	984	2C77.exe	2C77.exe
PID 3964 set thread context of 1320	3964	315A.exe	315A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
784	1320	WerFault.exe	315A.exe
3364	2488	WerFault.exe	98A2.exe
3592	3080	WerFault.exe	A073.exe
3240	3080	WerFault.exe	A073.exe
1424	3192	WerFault.exe	B12E.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b4192d70e24462758cfe66a4930136e3.exe2C77.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b4192d70e24462758cfe66a4930136e3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b4192d70e24462758cfe66a4930136e3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b4192d70e24462758cfe66a4930136e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2C77.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2C77.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2C77.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeB12E.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B12E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B12E.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3460 timeout.exe

pid	process
3460	timeout.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b4192d70e24462758cfe66a4930136e3.exe

pid	process
2948	b4192d70e24462758cfe66a4930136e3.exe
2948	b4192d70e24462758cfe66a4930136e3.exe
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2420
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b4192d70e24462758cfe66a4930136e3.exe2C77.exe

pid process

2948 b4192d70e24462758cfe66a4930136e3.exe
636 2C77.exe

pid	process
2420

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

315A.exeWerFault.exeAA28.exe

description	pid	process
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeDebugPrivilege	3964	315A.exe
Token: SeRestorePrivilege	784	WerFault.exe
Token: SeBackupPrivilege	784	WerFault.exe
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeDebugPrivilege	2952	AA28.exe
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

b4192d70e24462758cfe66a4930136e3.exe2C77.exe315A.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeB12E.exeWerFault.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 2948	1692	b4192d70e24462758cfe66a4930136e3.exe	b4192d70e24462758cfe66a4930136e3.exe
PID 1692 wrote to memory of 2948	1692	b4192d70e24462758cfe66a4930136e3.exe	b4192d70e24462758cfe66a4930136e3.exe
PID 1692 wrote to memory of 2948	1692	b4192d70e24462758cfe66a4930136e3.exe	b4192d70e24462758cfe66a4930136e3.exe
PID 1692 wrote to memory of 2948	1692	b4192d70e24462758cfe66a4930136e3.exe	b4192d70e24462758cfe66a4930136e3.exe
PID 1692 wrote to memory of 2948	1692	b4192d70e24462758cfe66a4930136e3.exe	b4192d70e24462758cfe66a4930136e3.exe
PID 1692 wrote to memory of 2948	1692	b4192d70e24462758cfe66a4930136e3.exe	b4192d70e24462758cfe66a4930136e3.exe
PID 2420 wrote to memory of 984	2420		2C77.exe
PID 2420 wrote to memory of 984	2420		2C77.exe
PID 2420 wrote to memory of 984	2420		2C77.exe
PID 2420 wrote to memory of 3964	2420		315A.exe
PID 2420 wrote to memory of 3964	2420		315A.exe
PID 2420 wrote to memory of 3964	2420		315A.exe
PID 984 wrote to memory of 636	984	2C77.exe	2C77.exe
PID 984 wrote to memory of 636	984	2C77.exe	2C77.exe
PID 984 wrote to memory of 636	984	2C77.exe	2C77.exe
PID 984 wrote to memory of 636	984	2C77.exe	2C77.exe
PID 984 wrote to memory of 636	984	2C77.exe	2C77.exe
PID 984 wrote to memory of 636	984	2C77.exe	2C77.exe
PID 3964 wrote to memory of 1320	3964	315A.exe	315A.exe
PID 3964 wrote to memory of 1320	3964	315A.exe	315A.exe
PID 3964 wrote to memory of 1320	3964	315A.exe	315A.exe
PID 3964 wrote to memory of 1320	3964	315A.exe	315A.exe
PID 3964 wrote to memory of 1320	3964	315A.exe	315A.exe
PID 3964 wrote to memory of 1320	3964	315A.exe	315A.exe
PID 3964 wrote to memory of 1320	3964	315A.exe	315A.exe
PID 3964 wrote to memory of 1320	3964	315A.exe	315A.exe
PID 1580 wrote to memory of 1320	1580	WerFault.exe	315A.exe
PID 1580 wrote to memory of 1320	1580	WerFault.exe	315A.exe
PID 2420 wrote to memory of 1920	2420		93EE.exe
PID 2420 wrote to memory of 1920	2420		93EE.exe
PID 2420 wrote to memory of 1920	2420		93EE.exe
PID 2420 wrote to memory of 2488	2420		98A2.exe
PID 2420 wrote to memory of 2488	2420		98A2.exe
PID 2420 wrote to memory of 2488	2420		98A2.exe
PID 3476 wrote to memory of 2488	3476	WerFault.exe	98A2.exe
PID 3476 wrote to memory of 2488	3476	WerFault.exe	98A2.exe
PID 2420 wrote to memory of 3080	2420		A073.exe
PID 2420 wrote to memory of 3080	2420		A073.exe
PID 2420 wrote to memory of 3080	2420		A073.exe
PID 3252 wrote to memory of 3080	3252	WerFault.exe	A073.exe
PID 3252 wrote to memory of 3080	3252	WerFault.exe	A073.exe
PID 3304 wrote to memory of 3080	3304	WerFault.exe	A073.exe
PID 3304 wrote to memory of 3080	3304	WerFault.exe	A073.exe
PID 2420 wrote to memory of 2952	2420		AA28.exe
PID 2420 wrote to memory of 2952	2420		AA28.exe
PID 2420 wrote to memory of 2952	2420		AA28.exe
PID 2420 wrote to memory of 3192	2420		B12E.exe
PID 2420 wrote to memory of 3192	2420		B12E.exe
PID 2420 wrote to memory of 3192	2420		B12E.exe
PID 3192 wrote to memory of 3736	3192	B12E.exe	cmd.exe
PID 3192 wrote to memory of 3736	3192	B12E.exe	cmd.exe
PID 3192 wrote to memory of 3736	3192	B12E.exe	cmd.exe
PID 2088 wrote to memory of 3192	2088	WerFault.exe	B12E.exe
PID 2088 wrote to memory of 3192	2088	WerFault.exe	B12E.exe
PID 3736 wrote to memory of 3460	3736	cmd.exe	timeout.exe
PID 3736 wrote to memory of 3460	3736	cmd.exe	timeout.exe
PID 3736 wrote to memory of 3460	3736	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\b4192d70e24462758cfe66a4930136e3.exe
"C:\Users\Admin\AppData\Local\Temp\b4192d70e24462758cfe66a4930136e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\b4192d70e24462758cfe66a4930136e3.exe
"C:\Users\Admin\AppData\Local\Temp\b4192d70e24462758cfe66a4930136e3.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2948

C:\Users\Admin\AppData\Local\Temp\2C77.exe
C:\Users\Admin\AppData\Local\Temp\2C77.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\2C77.exe
C:\Users\Admin\AppData\Local\Temp\2C77.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:636

C:\Users\Admin\AppData\Local\Temp\315A.exe
C:\Users\Admin\AppData\Local\Temp\315A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\315A.exe
C:\Users\Admin\AppData\Local\Temp\315A.exe
2⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 152
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1320 -ip 1320
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\93EE.exe
C:\Users\Admin\AppData\Local\Temp\93EE.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\Temp\98A2.exe
C:\Users\Admin\AppData\Local\Temp\98A2.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 600
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2488 -ip 2488
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\A073.exe
C:\Users\Admin\AppData\Local\Temp\A073.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 444
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 464
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3080 -ip 3080
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3080 -ip 3080
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Local\Temp\AA28.exe
C:\Users\Admin\AppData\Local\Temp\AA28.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Users\Admin\AppData\Local\Temp\B12E.exe
C:\Users\Admin\AppData\Local\Temp\B12E.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B12E.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1416
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3192 -ip 3192
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C77.exe
MD5
6b46991f3ccdc5135d2afd06da875fc3

SHA1
3f54e0372129ebd8ef3661edaa831e87a2ea5cb4

SHA256
b4e324b6448383deca3410e40bac20b36232003650b221a151b2c302503f5ebc

SHA512
dcc420d209e207c05cfafee99e3961822c201cf555b47295ac6feb2b8f1722af541e357b0ee8ec7d42a1c386260817cec481aea107554e84020b46d8ea2ec955

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C77.exe
MD5
6b46991f3ccdc5135d2afd06da875fc3

SHA1
3f54e0372129ebd8ef3661edaa831e87a2ea5cb4

SHA256
b4e324b6448383deca3410e40bac20b36232003650b221a151b2c302503f5ebc

SHA512
dcc420d209e207c05cfafee99e3961822c201cf555b47295ac6feb2b8f1722af541e357b0ee8ec7d42a1c386260817cec481aea107554e84020b46d8ea2ec955

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C77.exe
MD5
6b46991f3ccdc5135d2afd06da875fc3

SHA1
3f54e0372129ebd8ef3661edaa831e87a2ea5cb4

SHA256
b4e324b6448383deca3410e40bac20b36232003650b221a151b2c302503f5ebc

SHA512
dcc420d209e207c05cfafee99e3961822c201cf555b47295ac6feb2b8f1722af541e357b0ee8ec7d42a1c386260817cec481aea107554e84020b46d8ea2ec955

Download Submit
C:\Users\Admin\AppData\Local\Temp\315A.exe
MD5
29e5d8cbcf13639096bf1353b5f9f48b

SHA1
800629d06593b7fb232a2dfd08384c4349f37382

SHA256
ba587b88b891dfe4c810be48e336cdae9d474618d9d0a3a0637cd2349cc307e2

SHA512
3e394d30c9d50b2ab61b6d9f2942313ec6cee2a4fd873d977bcfe6e62ce05596b62d0993294311da381eb47ad040a41307b192761501a47c8995624288aa5354

Download Submit
C:\Users\Admin\AppData\Local\Temp\315A.exe
MD5
29e5d8cbcf13639096bf1353b5f9f48b

SHA1
800629d06593b7fb232a2dfd08384c4349f37382

SHA256
ba587b88b891dfe4c810be48e336cdae9d474618d9d0a3a0637cd2349cc307e2

SHA512
3e394d30c9d50b2ab61b6d9f2942313ec6cee2a4fd873d977bcfe6e62ce05596b62d0993294311da381eb47ad040a41307b192761501a47c8995624288aa5354

Download Submit
C:\Users\Admin\AppData\Local\Temp\315A.exe
MD5
29e5d8cbcf13639096bf1353b5f9f48b

SHA1
800629d06593b7fb232a2dfd08384c4349f37382

SHA256
ba587b88b891dfe4c810be48e336cdae9d474618d9d0a3a0637cd2349cc307e2

SHA512
3e394d30c9d50b2ab61b6d9f2942313ec6cee2a4fd873d977bcfe6e62ce05596b62d0993294311da381eb47ad040a41307b192761501a47c8995624288aa5354

Download Submit
C:\Users\Admin\AppData\Local\Temp\93EE.exe
MD5
bdf3b101d4c3bb29b543b42d854f1e9c

SHA1
9a2c6ff211c29ba567b15b9fdcf2ed11354ce377

SHA256
09269b6f64fcb4394dbfba6c10b0f504c2e2d5c57aa04c42cd2c0c05aee2f9b8

SHA512
16e096bce2b50ca0dc132e458ff4fe2a52f116331962515fff859eb7d828774f20a62706704a069f984fccf3692c44a2588408906ef4115a42c726a555c8f9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\93EE.exe
MD5
bdf3b101d4c3bb29b543b42d854f1e9c

SHA1
9a2c6ff211c29ba567b15b9fdcf2ed11354ce377

SHA256
09269b6f64fcb4394dbfba6c10b0f504c2e2d5c57aa04c42cd2c0c05aee2f9b8

SHA512
16e096bce2b50ca0dc132e458ff4fe2a52f116331962515fff859eb7d828774f20a62706704a069f984fccf3692c44a2588408906ef4115a42c726a555c8f9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\98A2.exe
MD5
bdf3b101d4c3bb29b543b42d854f1e9c

SHA1
9a2c6ff211c29ba567b15b9fdcf2ed11354ce377

SHA256
09269b6f64fcb4394dbfba6c10b0f504c2e2d5c57aa04c42cd2c0c05aee2f9b8

SHA512
16e096bce2b50ca0dc132e458ff4fe2a52f116331962515fff859eb7d828774f20a62706704a069f984fccf3692c44a2588408906ef4115a42c726a555c8f9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\98A2.exe
MD5
bdf3b101d4c3bb29b543b42d854f1e9c

SHA1
9a2c6ff211c29ba567b15b9fdcf2ed11354ce377

SHA256
09269b6f64fcb4394dbfba6c10b0f504c2e2d5c57aa04c42cd2c0c05aee2f9b8

SHA512
16e096bce2b50ca0dc132e458ff4fe2a52f116331962515fff859eb7d828774f20a62706704a069f984fccf3692c44a2588408906ef4115a42c726a555c8f9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\A073.exe
MD5
6a8895bd886a0af18b5d2f3c262b728f

SHA1
43c617c108e1333db60496eabb727654eae91c9c

SHA256
3442d1aa475c564e541dff9918122c255d594537e7b34a363d0f8a63d39b2ca6

SHA512
99f8d80e0348d5c20936993027c329dbf6f931d1c2fef2071b50b15f6badd1448bf2dc6dec7dc3ccff4bce382942a0fb19b75dedd7ee7a3f1254c35acad75716

Download Submit
C:\Users\Admin\AppData\Local\Temp\A073.exe
MD5
6a8895bd886a0af18b5d2f3c262b728f

SHA1
43c617c108e1333db60496eabb727654eae91c9c

SHA256
3442d1aa475c564e541dff9918122c255d594537e7b34a363d0f8a63d39b2ca6

SHA512
99f8d80e0348d5c20936993027c329dbf6f931d1c2fef2071b50b15f6badd1448bf2dc6dec7dc3ccff4bce382942a0fb19b75dedd7ee7a3f1254c35acad75716

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA28.exe
MD5
07861c908ce10d428fbc421b5affa104

SHA1
6d94909acc92dd4268387d4e2a757b0f1c3a8a26

SHA256
be395c09e64da3651f1a0380af0e4e495c6e4a412bc8e0b7e89de2cd53f8abbc

SHA512
e77e6c343436f97277ea801a1afd28287f598236e5e554fba3c1d682c5ee24b7dd71d4e620c9ec6d1998503282109a5322569a436ac796709ba44b2c3fee4459

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA28.exe
MD5
07861c908ce10d428fbc421b5affa104

SHA1
6d94909acc92dd4268387d4e2a757b0f1c3a8a26

SHA256
be395c09e64da3651f1a0380af0e4e495c6e4a412bc8e0b7e89de2cd53f8abbc

SHA512
e77e6c343436f97277ea801a1afd28287f598236e5e554fba3c1d682c5ee24b7dd71d4e620c9ec6d1998503282109a5322569a436ac796709ba44b2c3fee4459

Download Submit
C:\Users\Admin\AppData\Local\Temp\B12E.exe
MD5
f6d98c62352cba657593897b4f26da8a

SHA1
e146dbc2234d05e226c847bab67ed9d536c76919

SHA256
3cd448a8fe389ecc8b9bff4c8736050c994f0545e4b15c11227543aab111fe16

SHA512
b05bc6f00b66a421b622610a1919006a7076b7e190af2399f940d327bf51cf8834f43bb657006eddbb1b28a3dba95db83500ab9c3535f2822fe1e2ba3e431b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\B12E.exe
MD5
f6d98c62352cba657593897b4f26da8a

SHA1
e146dbc2234d05e226c847bab67ed9d536c76919

SHA256
3cd448a8fe389ecc8b9bff4c8736050c994f0545e4b15c11227543aab111fe16

SHA512
b05bc6f00b66a421b622610a1919006a7076b7e190af2399f940d327bf51cf8834f43bb657006eddbb1b28a3dba95db83500ab9c3535f2822fe1e2ba3e431b19

Download Submit
memory/636-148-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/984-142-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/1320-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1692-131-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/1692-132-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1920-155-0x0000000002260000-0x00000000022F2000-memory.dmp

Filesize
584KB

Download
memory/1920-156-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/1920-154-0x00000000008C0000-0x000000000092B000-memory.dmp

Filesize
428KB

Download
memory/2420-151-0x0000000008080000-0x0000000008096000-memory.dmp

Filesize
88KB

Download
memory/2420-134-0x0000000000D10000-0x0000000000D26000-memory.dmp

Filesize
88KB

Download
memory/2488-159-0x0000000000860000-0x00000000008CB000-memory.dmp

Filesize
428KB

Download
memory/2488-160-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2948-130-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2948-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2952-176-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/2952-177-0x0000000075DD0000-0x0000000076383000-memory.dmp

Filesize
5.7MB

Download
memory/2952-166-0x00000000001C0000-0x0000000000233000-memory.dmp

Filesize
460KB

Download
memory/2952-167-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/2952-168-0x0000000075980000-0x0000000075B95000-memory.dmp

Filesize
2.1MB

Download
memory/2952-169-0x00000000001C0000-0x0000000000233000-memory.dmp

Filesize
460KB

Download
memory/2952-170-0x0000000072770000-0x00000000727F9000-memory.dmp

Filesize
548KB

Download
memory/2952-171-0x0000000002D80000-0x0000000002DC4000-memory.dmp

Filesize
272KB

Download
memory/2952-172-0x0000000005ED0000-0x00000000064E8000-memory.dmp

Filesize
6.1MB

Download
memory/2952-173-0x0000000005840000-0x0000000005852000-memory.dmp

Filesize
72KB

Download
memory/2952-174-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2952-175-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/2952-189-0x0000000007B90000-0x00000000080BC000-memory.dmp

Filesize
5.2MB

Download
memory/2952-188-0x0000000007490000-0x0000000007652000-memory.dmp

Filesize
1.8MB

Download
memory/2952-186-0x0000000007270000-0x00000000072C0000-memory.dmp

Filesize
320KB

Download
memory/2952-180-0x00000000708D0000-0x000000007091C000-memory.dmp

Filesize
304KB

Download
memory/2952-185-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/2952-184-0x0000000005C30000-0x0000000005CC2000-memory.dmp

Filesize
584KB

Download
memory/3080-163-0x0000000002600000-0x0000000002660000-memory.dmp

Filesize
384KB

Download
memory/3192-182-0x00000000001E0000-0x00000000001FC000-memory.dmp

Filesize
112KB

Download
memory/3192-183-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3192-181-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/3964-145-0x00000000052E0000-0x0000000005356000-memory.dmp

Filesize
472KB

Download
memory/3964-146-0x0000000005280000-0x000000000529E000-memory.dmp

Filesize
120KB

Download
memory/3964-144-0x0000000002D70000-0x0000000002E11000-memory.dmp

Filesize
644KB

Download
memory/3964-147-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/3964-143-0x0000000005260000-0x0000000005440000-memory.dmp

Filesize
1.9MB

Download
memory/3964-139-0x0000000000A00000-0x0000000000A8A000-memory.dmp

Filesize
552KB

Download