vkeylogger | 57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965

General

Target

57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe
Size

74KB
MD5

ba4380237e7a0f220deaaada1fddff73
SHA1

394b852855574cffa26a66bec083792a21f87f79
SHA256

57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965
SHA512

5e70426b3547020f93c62764f418ff7d475f4bf772130b056f33884e7b155b9675a4af292b356bd9897c5e6c665488989d7400dfb452d8544d1252b3e3798142

Score

10^/10

vkeylogger keylogger persistence spyware stealer suricata

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/720-130-0x0000000002F20000-0x0000000002F32000-memory.dmp	family_vkeylogger

suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

415.exe

pid process

3416 415.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3416	415.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\grerg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yrty = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe415.exe

description	pid	process	target process
PID 3576 set thread context of 720	3576	57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe	explorer.exe
PID 3416 set thread context of 2668	3416	415.exe	ielowutil.exe

Drops file in Windows directory 3 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4204"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3852"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.038911"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132900915450116603"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.429490"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ielowutil.exe

pid process

2668 ielowutil.exe
2668 ielowutil.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exeexplorer.exe

pid process

3576 57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe
720 explorer.exe

pid	process
2668	ielowutil.exe
2668	ielowutil.exe

pid	process
3576	57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe
720	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe
Token: SeRestorePrivilege	796	TiWorker.exe
Token: SeSecurityPrivilege	796	TiWorker.exe
Token: SeBackupPrivilege	796	TiWorker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

720 explorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe415.exe

pid process

720 explorer.exe
3416 415.exe

pid	process
720	explorer.exe

pid	process
720	explorer.exe
3416	415.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exeexplorer.exe415.exe

description	pid	process	target process
PID 3576 wrote to memory of 720	3576	57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe	explorer.exe
PID 3576 wrote to memory of 720	3576	57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe	explorer.exe
PID 3576 wrote to memory of 720	3576	57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe	explorer.exe
PID 720 wrote to memory of 3416	720	explorer.exe	415.exe
PID 720 wrote to memory of 3416	720	explorer.exe	415.exe
PID 720 wrote to memory of 3416	720	explorer.exe	415.exe
PID 3416 wrote to memory of 3632	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 3632	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 3632	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe
PID 3416 wrote to memory of 2668	3416	415.exe	ielowutil.exe

C:\Users\Admin\AppData\Local\Temp\57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe
"C:\Users\Admin\AppData\Local\Temp\57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:720

C:\Users\Admin\AppData\Local\Temp\415.exe
"C:\Users\Admin\AppData\Local\Temp\415.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe"
4⤵
PID:3632

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3820

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\415.exe
MD5
558063e08ac6993410949408a509a30f

SHA1
d72106f1ed83cf83cde7f0ac3e89990521af7e76

SHA256
5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

SHA512
e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

Download Submit
C:\Users\Admin\AppData\Local\Temp\415.exe
MD5
558063e08ac6993410949408a509a30f

SHA1
d72106f1ed83cf83cde7f0ac3e89990521af7e76

SHA256
5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

SHA512
e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

Download Submit
memory/720-130-0x0000000002F20000-0x0000000002F32000-memory.dmp

Filesize
72KB

Download
memory/2668-135-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2668-136-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads