Analysis
-
max time kernel
176s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
22-02-2022 21:25
Static task
static1
Behavioral task
behavioral1
Sample
09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe
Resource
win7-en-20211208
General
-
Target
09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe
-
Size
7.8MB
-
MD5
6f4f266b41dd8ed90b7d0713bea7c918
-
SHA1
72ce1a1d559820548efdb53bfaa9a5d38b7dd021
-
SHA256
09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820
-
SHA512
52cdccaa3ee8702dbf95d0e82c6f0536d266b4eaeee38fbad3c506e8bdc3a8498112eb0a18e3081fe31e7a4d09d2579ea7a69a6b55429a285cd51790ed97f27f
Malware Config
Extracted
metasploit
windows/single_exec
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Signatures
-
Glupteba Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3524-145-0x0000000005160000-0x0000000005A86000-memory.dmp family_glupteba behavioral2/memory/3524-152-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 1256 rUNdlL32.eXe -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Install.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Install.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2080 created 1648 2080 WerFault.exe rundll32.exe -
Executes dropped EXE 12 IoCs
Processes:
Updbdate.exeInfo.exeFolder.exemd9_1sjm.exeFolder.exeKRSetp.exeInstall.exeFile.exepub2.exeFiles.exejfiag3g_gg.exejfiag3g_gg.exepid process 2148 Updbdate.exe 3524 Info.exe 452 Folder.exe 2464 md9_1sjm.exe 3680 Folder.exe 4068 KRSetp.exe 3268 Install.exe 412 File.exe 3604 pub2.exe 3252 Files.exe 3956 jfiag3g_gg.exe 3648 jfiag3g_gg.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exeFolder.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Folder.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1648 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Files.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex" Files.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 89 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 936 1648 WerFault.exe rundll32.exe 1700 1648 WerFault.exe rundll32.exe 924 3524 WerFault.exe Info.exe 2140 3524 WerFault.exe Info.exe 2864 3524 WerFault.exe Info.exe 3668 3524 WerFault.exe Info.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pub2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3672 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exepub2.exepid process 3024 msedge.exe 3024 msedge.exe 3604 pub2.exe 3604 pub2.exe 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pub2.exepid process 3604 pub2.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
Install.exeKRSetp.exeWerFault.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 3268 Install.exe Token: SeAssignPrimaryTokenPrivilege 3268 Install.exe Token: SeLockMemoryPrivilege 3268 Install.exe Token: SeIncreaseQuotaPrivilege 3268 Install.exe Token: SeMachineAccountPrivilege 3268 Install.exe Token: SeTcbPrivilege 3268 Install.exe Token: SeSecurityPrivilege 3268 Install.exe Token: SeTakeOwnershipPrivilege 3268 Install.exe Token: SeLoadDriverPrivilege 3268 Install.exe Token: SeSystemProfilePrivilege 3268 Install.exe Token: SeSystemtimePrivilege 3268 Install.exe Token: SeProfSingleProcessPrivilege 3268 Install.exe Token: SeIncBasePriorityPrivilege 3268 Install.exe Token: SeCreatePagefilePrivilege 3268 Install.exe Token: SeCreatePermanentPrivilege 3268 Install.exe Token: SeBackupPrivilege 3268 Install.exe Token: SeRestorePrivilege 3268 Install.exe Token: SeShutdownPrivilege 3268 Install.exe Token: SeDebugPrivilege 3268 Install.exe Token: SeAuditPrivilege 3268 Install.exe Token: SeSystemEnvironmentPrivilege 3268 Install.exe Token: SeChangeNotifyPrivilege 3268 Install.exe Token: SeRemoteShutdownPrivilege 3268 Install.exe Token: SeUndockPrivilege 3268 Install.exe Token: SeSyncAgentPrivilege 3268 Install.exe Token: SeEnableDelegationPrivilege 3268 Install.exe Token: SeManageVolumePrivilege 3268 Install.exe Token: SeImpersonatePrivilege 3268 Install.exe Token: SeCreateGlobalPrivilege 3268 Install.exe Token: 31 3268 Install.exe Token: 32 3268 Install.exe Token: 33 3268 Install.exe Token: 34 3268 Install.exe Token: 35 3268 Install.exe Token: SeDebugPrivilege 4068 KRSetp.exe Token: SeShutdownPrivilege 2412 Token: SeCreatePagefilePrivilege 2412 Token: SeShutdownPrivilege 2412 Token: SeCreatePagefilePrivilege 2412 Token: SeRestorePrivilege 936 WerFault.exe Token: SeBackupPrivilege 936 WerFault.exe Token: SeBackupPrivilege 936 WerFault.exe Token: SeDebugPrivilege 3672 taskkill.exe Token: SeShutdownPrivilege 2412 Token: SeCreatePagefilePrivilege 2412 Token: SeShutdownPrivilege 2412 Token: SeCreatePagefilePrivilege 2412 Token: SeShutdownPrivilege 2412 Token: SeCreatePagefilePrivilege 2412 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
File.exepid process 412 File.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exemsedge.exeFolder.exedescription pid process target process PID 3064 wrote to memory of 2148 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Updbdate.exe PID 3064 wrote to memory of 2148 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Updbdate.exe PID 3064 wrote to memory of 2148 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Updbdate.exe PID 3064 wrote to memory of 1444 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe msedge.exe PID 3064 wrote to memory of 1444 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe msedge.exe PID 3064 wrote to memory of 3524 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Info.exe PID 3064 wrote to memory of 3524 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Info.exe PID 3064 wrote to memory of 3524 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Info.exe PID 3064 wrote to memory of 452 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Folder.exe PID 3064 wrote to memory of 452 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Folder.exe PID 3064 wrote to memory of 452 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Folder.exe PID 1444 wrote to memory of 220 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 220 1444 msedge.exe msedge.exe PID 3064 wrote to memory of 2464 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe md9_1sjm.exe PID 3064 wrote to memory of 2464 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe md9_1sjm.exe PID 3064 wrote to memory of 2464 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe md9_1sjm.exe PID 452 wrote to memory of 3680 452 Folder.exe Folder.exe PID 452 wrote to memory of 3680 452 Folder.exe Folder.exe PID 452 wrote to memory of 3680 452 Folder.exe Folder.exe PID 3064 wrote to memory of 4068 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe KRSetp.exe PID 3064 wrote to memory of 4068 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe KRSetp.exe PID 3064 wrote to memory of 3268 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Install.exe PID 3064 wrote to memory of 3268 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Install.exe PID 3064 wrote to memory of 3268 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe Install.exe PID 3064 wrote to memory of 412 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe File.exe PID 3064 wrote to memory of 412 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe File.exe PID 3064 wrote to memory of 412 3064 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe File.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 984 1444 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe"C:\Users\Admin\AppData\Local\Temp\09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaaeca46f8,0x7ffaaeca4708,0x7ffaaeca47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1492,14515667360073254891,3177897346874709267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,14515667360073254891,3177897346874709267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1492,14515667360073254891,3177897346874709267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:83⤵
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 3843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 7043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 7043⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 6083⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3524 -ip 35241⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1648 -ip 16481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3524 -ip 35241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3524 -ip 35241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3524 -ip 35241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3524 -ip 35241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3524 -ip 35241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
f01d6fa9b172453c4538847d8fba92fd
SHA15c8bce1505107101bf28151fc073c71fca6ca7ba
SHA2567ce5bfd458b3a8064b078a41fa9ecdd777f8be28d04e1fc1a0fe508a77e43660
SHA5127127a48dffa23c79a07137fd8030510769b3a27db7555cea5b562945b62588243862b8c06bafeaeeed2237dcb0d56dbcfc2cf1b8e3108fd64a47b5e13a980324
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
f01d6fa9b172453c4538847d8fba92fd
SHA15c8bce1505107101bf28151fc073c71fca6ca7ba
SHA2567ce5bfd458b3a8064b078a41fa9ecdd777f8be28d04e1fc1a0fe508a77e43660
SHA5127127a48dffa23c79a07137fd8030510769b3a27db7555cea5b562945b62588243862b8c06bafeaeeed2237dcb0d56dbcfc2cf1b8e3108fd64a47b5e13a980324
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
992a30dec0b76e19f0644cab152e0888
SHA138b13055600cbd801666377630cdc196d806ece8
SHA256a63201ba5d88041eb789ddba10d28b79afa40325350f2833c67e655e5964d1c6
SHA51284f75a40d426e93a0f337cbe216abc333c5da9556bb283a7a4aed7d2b4a27176ce439668069c71c69d0ace86a94f72512dc0eb2f56dd9a8930f004dd960133cb
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
992a30dec0b76e19f0644cab152e0888
SHA138b13055600cbd801666377630cdc196d806ece8
SHA256a63201ba5d88041eb789ddba10d28b79afa40325350f2833c67e655e5964d1c6
SHA51284f75a40d426e93a0f337cbe216abc333c5da9556bb283a7a4aed7d2b4a27176ce439668069c71c69d0ace86a94f72512dc0eb2f56dd9a8930f004dd960133cb
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
fb87a8d964a90ae94c0be5de3d25bb01
SHA18ddada78923059a0373598495fe4efbb125e795c
SHA25649b033d90c561256dbe38618a71c2b61d3872c0e0029ab30fc3f5a509105770f
SHA5125488ccf896547a434902637f132e2a0b1522d3250497cb2b65208a6baf14aa2a5ac6e6ef27d25aa95405bf6c96aedb636d9376eb6e98cc6f88734ecc23342c37
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
fb87a8d964a90ae94c0be5de3d25bb01
SHA18ddada78923059a0373598495fe4efbb125e795c
SHA25649b033d90c561256dbe38618a71c2b61d3872c0e0029ab30fc3f5a509105770f
SHA5125488ccf896547a434902637f132e2a0b1522d3250497cb2b65208a6baf14aa2a5ac6e6ef27d25aa95405bf6c96aedb636d9376eb6e98cc6f88734ecc23342c37
-
C:\Users\Admin\AppData\Local\Temp\Updbdate.exeMD5
e0d7a00d5d1d17d549330622d5efbc57
SHA1e3abe1626a305c75b223bc17a9de9245290c1571
SHA256aae3cdeedc940844c30f81a0df1c1da150fc890c604fc81f0f81da729831e51f
SHA5128931fd7e2b00fe4fc3386eaaf8bfd0d30005e5fda3795d105a866505c83e3c5aca59725a5d8dd6369cc43a426920f6eab1f9fc62e40755ea7c905ec9d27464da
-
C:\Users\Admin\AppData\Local\Temp\Updbdate.exeMD5
e0d7a00d5d1d17d549330622d5efbc57
SHA1e3abe1626a305c75b223bc17a9de9245290c1571
SHA256aae3cdeedc940844c30f81a0df1c1da150fc890c604fc81f0f81da729831e51f
SHA5128931fd7e2b00fe4fc3386eaaf8bfd0d30005e5fda3795d105a866505c83e3c5aca59725a5d8dd6369cc43a426920f6eab1f9fc62e40755ea7c905ec9d27464da
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5fd2eba6df44d23c9e662763009d7f84
SHA143530574f8ac455ae263c70cc99550bc60bfa4f1
SHA2562991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f
SHA512321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
9718b9edbc4e0996efbf3c1c77db01d3
SHA179b318b42f976fc299901605a900481bbbf73ff1
SHA2564c6e510216e3e299230ccab2c08ed9f66886d497fc07dc056477ea992ff3f49f
SHA5129598c6629a2cec0537e73fba5415620c74867c6c23609c2d314ef4d3f1a36d62178533ace5a7c0c046a0f2eb2ab90d425131c454ce9500b6f8736b392d9de689
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
ecd7365422db60cf4f55f3c6f4ed49bf
SHA1e4b914e366e854fc076b0faa955d4f52ae6f840d
SHA25677041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7
SHA512a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
ecd7365422db60cf4f55f3c6f4ed49bf
SHA1e4b914e366e854fc076b0faa955d4f52ae6f840d
SHA25677041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7
SHA512a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
8c31c83e48506b080a64e20dbc0e81c2
SHA14549e58a9825e24afe44c10e1165ae7000770930
SHA2564ba17e40cc585d6b31e0ed156c4cf801ac9fc492b3ccb604e307a0b59f193823
SHA512ffce43bad9d935abff882a384e6a4ea3e9b579d22976fe28adc34ab269ee058a79c2a4ca3e530af9914700143df56d86743a26c2df531d813a7edb0b8ea71564
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
8c31c83e48506b080a64e20dbc0e81c2
SHA14549e58a9825e24afe44c10e1165ae7000770930
SHA2564ba17e40cc585d6b31e0ed156c4cf801ac9fc492b3ccb604e307a0b59f193823
SHA512ffce43bad9d935abff882a384e6a4ea3e9b579d22976fe28adc34ab269ee058a79c2a4ca3e530af9914700143df56d86743a26c2df531d813a7edb0b8ea71564
-
\??\pipe\LOCAL\crashpad_1444_RLYGWMXWTKDFADYUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2148-136-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB
-
memory/2148-135-0x00000000025C3000-0x00000000025E5000-memory.dmpFilesize
136KB
-
memory/2148-134-0x00000000025C3000-0x00000000025E5000-memory.dmpFilesize
136KB
-
memory/2148-180-0x0000000006BA0000-0x0000000007144000-memory.dmpFilesize
5.6MB
-
memory/2148-137-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2148-138-0x0000000071DAE000-0x0000000071DAF000-memory.dmpFilesize
4KB
-
memory/2148-139-0x0000000004390000-0x0000000004391000-memory.dmpFilesize
4KB
-
memory/2148-191-0x0000000007190000-0x00000000077A8000-memory.dmpFilesize
6.1MB
-
memory/2148-196-0x0000000002500000-0x0000000002512000-memory.dmpFilesize
72KB
-
memory/2148-151-0x0000000004393000-0x0000000004394000-memory.dmpFilesize
4KB
-
memory/2148-146-0x0000000004392000-0x0000000004393000-memory.dmpFilesize
4KB
-
memory/2464-197-0x00000000038E0000-0x00000000038F0000-memory.dmpFilesize
64KB
-
memory/3200-165-0x00007FFACC800000-0x00007FFACC801000-memory.dmpFilesize
4KB
-
memory/3524-144-0x0000000004BE1000-0x000000000501D000-memory.dmpFilesize
4.2MB
-
memory/3524-152-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/3524-145-0x0000000005160000-0x0000000005A86000-memory.dmpFilesize
9.1MB
-
memory/3604-186-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3604-184-0x0000000002533000-0x0000000002543000-memory.dmpFilesize
64KB
-
memory/3604-185-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/3604-176-0x0000000002533000-0x0000000002543000-memory.dmpFilesize
64KB
-
memory/4068-160-0x0000000000590000-0x00000000005B4000-memory.dmpFilesize
144KB