guloader | 4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-01-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b31fdfb032644bcb1f8b072f4dc5e11a.exe
Size

197KB
MD5

b31fdfb032644bcb1f8b072f4dc5e11a
SHA1

1f4213eeaf0990d62b6c46ea8f29026c1555bc1a
SHA256

4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961
SHA512

653a701f4ed1cecd6081e800ec50300a11ac1b927b32192deef796176e655f287bf5024279f0e2821ab5ee62cbc6ac24155b12a9be637dd1c199209289f05087

Score

10^/10

guloader lokibot pony collection discovery downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://windowssecuritycheck.gdn/gx/l/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

pony

http://windowssecuritycheck.gdn/gx/p/gate.php

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

DRAMATIS.com

pid process

2792 DRAMATIS.com
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2792	DRAMATIS.com

Checks QEMU agent file 2 TTPs 4 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.com

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DRAMATIS.com
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DRAMATIS.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	DRAMATIS.com

Loads dropped DLL 1 IoCs

Processes:

DRAMATIS.com

pid process

4084 DRAMATIS.com
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4084	DRAMATIS.com

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

DRAMATIS.com

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	DRAMATIS.com

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DRAMATIS.com

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

pid process

1900 b31fdfb032644bcb1f8b072f4dc5e11a.exe
1900 b31fdfb032644bcb1f8b072f4dc5e11a.exe
4084 DRAMATIS.com
4084 DRAMATIS.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.com

pid process

2452 b31fdfb032644bcb1f8b072f4dc5e11a.exe
1900 b31fdfb032644bcb1f8b072f4dc5e11a.exe
2792 DRAMATIS.com
4084 DRAMATIS.com

pid	process
1900	b31fdfb032644bcb1f8b072f4dc5e11a.exe
1900	b31fdfb032644bcb1f8b072f4dc5e11a.exe
4084	DRAMATIS.com
4084	DRAMATIS.com

pid	process
2452	b31fdfb032644bcb1f8b072f4dc5e11a.exe
1900	b31fdfb032644bcb1f8b072f4dc5e11a.exe
2792	DRAMATIS.com
4084	DRAMATIS.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

description	pid	process	target process
PID 2452 set thread context of 1900	2452	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 2792 set thread context of 4084	2792	DRAMATIS.com	DRAMATIS.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

pid process

2452 b31fdfb032644bcb1f8b072f4dc5e11a.exe
2792 DRAMATIS.com
Suspicious behavior: RenamesItself 1 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exe

pid process

1900 b31fdfb032644bcb1f8b072f4dc5e11a.exe

pid	process
2452	b31fdfb032644bcb1f8b072f4dc5e11a.exe
2792	DRAMATIS.com

pid	process
1900	b31fdfb032644bcb1f8b072f4dc5e11a.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

description	pid	process
Token: SeDebugPrivilege	1900	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Token: SeImpersonatePrivilege	4084	DRAMATIS.com
Token: SeTcbPrivilege	4084	DRAMATIS.com
Token: SeChangeNotifyPrivilege	4084	DRAMATIS.com
Token: SeCreateTokenPrivilege	4084	DRAMATIS.com
Token: SeBackupPrivilege	4084	DRAMATIS.com
Token: SeRestorePrivilege	4084	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	4084	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	4084	DRAMATIS.com
Token: SeImpersonatePrivilege	4084	DRAMATIS.com
Token: SeTcbPrivilege	4084	DRAMATIS.com
Token: SeChangeNotifyPrivilege	4084	DRAMATIS.com
Token: SeCreateTokenPrivilege	4084	DRAMATIS.com
Token: SeBackupPrivilege	4084	DRAMATIS.com
Token: SeRestorePrivilege	4084	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	4084	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	4084	DRAMATIS.com
Token: SeImpersonatePrivilege	4084	DRAMATIS.com
Token: SeTcbPrivilege	4084	DRAMATIS.com
Token: SeChangeNotifyPrivilege	4084	DRAMATIS.com
Token: SeCreateTokenPrivilege	4084	DRAMATIS.com
Token: SeBackupPrivilege	4084	DRAMATIS.com
Token: SeRestorePrivilege	4084	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	4084	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	4084	DRAMATIS.com
Token: SeImpersonatePrivilege	4084	DRAMATIS.com
Token: SeTcbPrivilege	4084	DRAMATIS.com
Token: SeChangeNotifyPrivilege	4084	DRAMATIS.com
Token: SeCreateTokenPrivilege	4084	DRAMATIS.com
Token: SeBackupPrivilege	4084	DRAMATIS.com
Token: SeRestorePrivilege	4084	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	4084	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	4084	DRAMATIS.com
Token: SeImpersonatePrivilege	4084	DRAMATIS.com
Token: SeTcbPrivilege	4084	DRAMATIS.com
Token: SeChangeNotifyPrivilege	4084	DRAMATIS.com
Token: SeCreateTokenPrivilege	4084	DRAMATIS.com
Token: SeBackupPrivilege	4084	DRAMATIS.com
Token: SeRestorePrivilege	4084	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	4084	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	4084	DRAMATIS.com
Token: SeImpersonatePrivilege	4084	DRAMATIS.com
Token: SeTcbPrivilege	4084	DRAMATIS.com
Token: SeChangeNotifyPrivilege	4084	DRAMATIS.com
Token: SeCreateTokenPrivilege	4084	DRAMATIS.com
Token: SeBackupPrivilege	4084	DRAMATIS.com
Token: SeRestorePrivilege	4084	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	4084	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	4084	DRAMATIS.com

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

pid process

2452 b31fdfb032644bcb1f8b072f4dc5e11a.exe
2792 DRAMATIS.com

pid	process
2452	b31fdfb032644bcb1f8b072f4dc5e11a.exe
2792	DRAMATIS.com

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.com

description	pid	process	target process
PID 2452 wrote to memory of 1900	2452	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 2452 wrote to memory of 1900	2452	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 2452 wrote to memory of 1900	2452	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 2452 wrote to memory of 1900	2452	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 1900 wrote to memory of 2792	1900	b31fdfb032644bcb1f8b072f4dc5e11a.exe	DRAMATIS.com
PID 1900 wrote to memory of 2792	1900	b31fdfb032644bcb1f8b072f4dc5e11a.exe	DRAMATIS.com
PID 1900 wrote to memory of 2792	1900	b31fdfb032644bcb1f8b072f4dc5e11a.exe	DRAMATIS.com
PID 2792 wrote to memory of 4084	2792	DRAMATIS.com	DRAMATIS.com
PID 2792 wrote to memory of 4084	2792	DRAMATIS.com	DRAMATIS.com
PID 2792 wrote to memory of 4084	2792	DRAMATIS.com	DRAMATIS.com
PID 2792 wrote to memory of 4084	2792	DRAMATIS.com	DRAMATIS.com
PID 4084 wrote to memory of 2156	4084	DRAMATIS.com	cmd.exe
PID 4084 wrote to memory of 2156	4084	DRAMATIS.com	cmd.exe
PID 4084 wrote to memory of 2156	4084	DRAMATIS.com	cmd.exe

outlook_office_path 1 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	b31fdfb032644bcb1f8b072f4dc5e11a.exe

outlook_win_path 1 IoCs

Processes:

DRAMATIS.com

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DRAMATIS.com

C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe
"C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe
"C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe"
2⤵
- Checks QEMU agent file
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
PID:1900

C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
"C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com"
3⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
"C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com"
4⤵
- Checks QEMU agent file
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30387312.bat" "C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com" "
5⤵
PID:2156

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b0075bd3a92b4e50b3e8b82d04575384 m1LUVBdGck63P0D30X+vRQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30387312.bat
MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWd6XQZBhARVHwO1QZW240
MD5
f97264a5d29376aadd091cb8880bf4e4

SHA1
1641d112c7f0f31ccff1b9ccab6222d245642e27

SHA256
5bd919690a6400c82da06969c65988a748945cbf3fd6f4ed803884ba516e4bd2

SHA512
6badc1c7bd2b5dad04ff809f0ea6e3a590a777fcaef4750e873bdaea24afd9ce4cc5e1190811632c12f9d6a5cfd67e0b449060fd1811bd55e8863f3a5620b0e2

Download Submit
memory/1900-137-0x0000000001660000-0x00000000017F0000-memory.dmp

Filesize
1.6MB

Download
memory/1900-139-0x0000000077000000-0x00000000771A3000-memory.dmp

Filesize
1.6MB

Download
memory/1900-136-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1900-145-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1900-138-0x00007FFCE5970000-0x00007FFCE5B65000-memory.dmp

Filesize
2.0MB

Download
memory/2452-133-0x00007FFCE5970000-0x00007FFCE5B65000-memory.dmp

Filesize
2.0MB

Download
memory/2452-132-0x00000000021E0000-0x0000000002208000-memory.dmp

Filesize
160KB

Download
memory/2452-135-0x0000000077000000-0x00000000771A3000-memory.dmp

Filesize
1.6MB

Download
memory/2452-134-0x0000000077000000-0x00000000771A3000-memory.dmp

Filesize
1.6MB

Download
memory/2792-146-0x00000000020A0000-0x00000000020C8000-memory.dmp

Filesize
160KB

Download
memory/2792-150-0x0000000077000000-0x00000000771A3000-memory.dmp

Filesize
1.6MB

Download
memory/2792-148-0x00007FFCE5970000-0x00007FFCE5B65000-memory.dmp

Filesize
2.0MB

Download
memory/4084-151-0x0000000001660000-0x00000000017E0000-memory.dmp

Filesize
1.5MB

Download
memory/4084-152-0x00007FFCE5970000-0x00007FFCE5B65000-memory.dmp

Filesize
2.0MB

Download
memory/4084-153-0x0000000077000000-0x00000000771A3000-memory.dmp

Filesize
1.6MB

Download
memory/4084-154-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download