glupteba | 09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820

Analysis

max time kernel
176s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
22-02-2022 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe
Size

7.8MB
MD5

6f4f266b41dd8ed90b7d0713bea7c918
SHA1

72ce1a1d559820548efdb53bfaa9a5d38b7dd021
SHA256

09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820
SHA512

52cdccaa3ee8702dbf95d0e82c6f0536d266b4eaeee38fbad3c506e8bdc3a8498112eb0a18e3081fe31e7a4d09d2579ea7a69a6b55429a285cd51790ed97f27f

Score

10^/10

glupteba metasploit socelars backdoor dropper loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3524-145-0x0000000005160000-0x0000000005A86000-memory.dmp	family_glupteba
behavioral2/memory/3524-152-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 1256 rUNdlL32.eXe
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1256	rUNdlL32.eXe

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2080 created 1648 2080 WerFault.exe rundll32.exe

description	pid	process	target process
PID 2080 created 1648	2080	WerFault.exe	rundll32.exe

Executes dropped EXE 12 IoCs

Processes:

Updbdate.exeInfo.exeFolder.exemd9_1sjm.exeFolder.exeKRSetp.exeInstall.exeFile.exepub2.exeFiles.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
2148	Updbdate.exe
3524	Info.exe
452	Folder.exe
2464	md9_1sjm.exe
3680	Folder.exe
4068	KRSetp.exe
3268	Install.exe
412	File.exe
3604	pub2.exe
3252	Files.exe
3956	jfiag3g_gg.exe
3648	jfiag3g_gg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1648 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1648	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

89 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
89	ip-api.com

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
936	1648	WerFault.exe	rundll32.exe
1700	1648	WerFault.exe	rundll32.exe
924	3524	WerFault.exe	Info.exe
2140	3524	WerFault.exe	Info.exe
2864	3524	WerFault.exe	Info.exe
3668	3524	WerFault.exe	Info.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3672 taskkill.exe

pid	process
3672	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exepub2.exe

pid	process
3024	msedge.exe
3024	msedge.exe
3604	pub2.exe
3604	pub2.exe
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

3604 pub2.exe

pid	process
3604	pub2.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

Install.exeKRSetp.exeWerFault.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	3268	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3268	Install.exe
Token: SeLockMemoryPrivilege	3268	Install.exe
Token: SeIncreaseQuotaPrivilege	3268	Install.exe
Token: SeMachineAccountPrivilege	3268	Install.exe
Token: SeTcbPrivilege	3268	Install.exe
Token: SeSecurityPrivilege	3268	Install.exe
Token: SeTakeOwnershipPrivilege	3268	Install.exe
Token: SeLoadDriverPrivilege	3268	Install.exe
Token: SeSystemProfilePrivilege	3268	Install.exe
Token: SeSystemtimePrivilege	3268	Install.exe
Token: SeProfSingleProcessPrivilege	3268	Install.exe
Token: SeIncBasePriorityPrivilege	3268	Install.exe
Token: SeCreatePagefilePrivilege	3268	Install.exe
Token: SeCreatePermanentPrivilege	3268	Install.exe
Token: SeBackupPrivilege	3268	Install.exe
Token: SeRestorePrivilege	3268	Install.exe
Token: SeShutdownPrivilege	3268	Install.exe
Token: SeDebugPrivilege	3268	Install.exe
Token: SeAuditPrivilege	3268	Install.exe
Token: SeSystemEnvironmentPrivilege	3268	Install.exe
Token: SeChangeNotifyPrivilege	3268	Install.exe
Token: SeRemoteShutdownPrivilege	3268	Install.exe
Token: SeUndockPrivilege	3268	Install.exe
Token: SeSyncAgentPrivilege	3268	Install.exe
Token: SeEnableDelegationPrivilege	3268	Install.exe
Token: SeManageVolumePrivilege	3268	Install.exe
Token: SeImpersonatePrivilege	3268	Install.exe
Token: SeCreateGlobalPrivilege	3268	Install.exe
Token: 31	3268	Install.exe
Token: 32	3268	Install.exe
Token: 33	3268	Install.exe
Token: 34	3268	Install.exe
Token: 35	3268	Install.exe
Token: SeDebugPrivilege	4068	KRSetp.exe
Token: SeShutdownPrivilege	2412
Token: SeCreatePagefilePrivilege	2412
Token: SeShutdownPrivilege	2412
Token: SeCreatePagefilePrivilege	2412
Token: SeRestorePrivilege	936	WerFault.exe
Token: SeBackupPrivilege	936	WerFault.exe
Token: SeBackupPrivilege	936	WerFault.exe
Token: SeDebugPrivilege	3672	taskkill.exe
Token: SeShutdownPrivilege	2412
Token: SeCreatePagefilePrivilege	2412
Token: SeShutdownPrivilege	2412
Token: SeCreatePagefilePrivilege	2412
Token: SeShutdownPrivilege	2412
Token: SeCreatePagefilePrivilege	2412

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

File.exe

pid process

412 File.exe

pid	process
412	File.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exemsedge.exeFolder.exe

description	pid	process	target process
PID 3064 wrote to memory of 2148	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Updbdate.exe
PID 3064 wrote to memory of 2148	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Updbdate.exe
PID 3064 wrote to memory of 2148	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Updbdate.exe
PID 3064 wrote to memory of 1444	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	msedge.exe
PID 3064 wrote to memory of 1444	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	msedge.exe
PID 3064 wrote to memory of 3524	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Info.exe
PID 3064 wrote to memory of 3524	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Info.exe
PID 3064 wrote to memory of 3524	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Info.exe
PID 3064 wrote to memory of 452	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Folder.exe
PID 3064 wrote to memory of 452	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Folder.exe
PID 3064 wrote to memory of 452	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Folder.exe
PID 1444 wrote to memory of 220	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 220	1444	msedge.exe	msedge.exe
PID 3064 wrote to memory of 2464	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	md9_1sjm.exe
PID 3064 wrote to memory of 2464	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	md9_1sjm.exe
PID 3064 wrote to memory of 2464	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	md9_1sjm.exe
PID 452 wrote to memory of 3680	452	Folder.exe	Folder.exe
PID 452 wrote to memory of 3680	452	Folder.exe	Folder.exe
PID 452 wrote to memory of 3680	452	Folder.exe	Folder.exe
PID 3064 wrote to memory of 4068	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	KRSetp.exe
PID 3064 wrote to memory of 4068	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	KRSetp.exe
PID 3064 wrote to memory of 3268	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Install.exe
PID 3064 wrote to memory of 3268	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Install.exe
PID 3064 wrote to memory of 3268	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	Install.exe
PID 3064 wrote to memory of 412	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	File.exe
PID 3064 wrote to memory of 412	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	File.exe
PID 3064 wrote to memory of 412	3064	09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe	File.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe
PID 1444 wrote to memory of 984	1444	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe
"C:\Users\Admin\AppData\Local\Temp\09e961f331dafd24ffb64c2ff71651dbd1305f21b996e1d0c9607ef6e411f820.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaaeca46f8,0x7ffaaeca4708,0x7ffaaeca4718
3⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1492,14515667360073254891,3177897346874709267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:2
3⤵
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,14515667360073254891,3177897346874709267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1492,14515667360073254891,3177897346874709267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
3⤵
PID:3200

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 384
3⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 660
3⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 704
3⤵
- Program crash
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 704
3⤵
- Program crash
PID:3668

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
PID:2464

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:3956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:412

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3604

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3252

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3956

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:2780

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 608
3⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 608
3⤵
- Program crash
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3524 -ip 3524
1⤵
PID:3896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1648 -ip 1648
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3524 -ip 3524
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3524 -ip 3524
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3524 -ip 3524
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3524 -ip 3524
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3524 -ip 3524
1⤵
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
f01d6fa9b172453c4538847d8fba92fd

SHA1
5c8bce1505107101bf28151fc073c71fca6ca7ba

SHA256
7ce5bfd458b3a8064b078a41fa9ecdd777f8be28d04e1fc1a0fe508a77e43660

SHA512
7127a48dffa23c79a07137fd8030510769b3a27db7555cea5b562945b62588243862b8c06bafeaeeed2237dcb0d56dbcfc2cf1b8e3108fd64a47b5e13a980324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
f01d6fa9b172453c4538847d8fba92fd

SHA1
5c8bce1505107101bf28151fc073c71fca6ca7ba

SHA256
7ce5bfd458b3a8064b078a41fa9ecdd777f8be28d04e1fc1a0fe508a77e43660

SHA512
7127a48dffa23c79a07137fd8030510769b3a27db7555cea5b562945b62588243862b8c06bafeaeeed2237dcb0d56dbcfc2cf1b8e3108fd64a47b5e13a980324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
992a30dec0b76e19f0644cab152e0888

SHA1
38b13055600cbd801666377630cdc196d806ece8

SHA256
a63201ba5d88041eb789ddba10d28b79afa40325350f2833c67e655e5964d1c6

SHA512
84f75a40d426e93a0f337cbe216abc333c5da9556bb283a7a4aed7d2b4a27176ce439668069c71c69d0ace86a94f72512dc0eb2f56dd9a8930f004dd960133cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
992a30dec0b76e19f0644cab152e0888

SHA1
38b13055600cbd801666377630cdc196d806ece8

SHA256
a63201ba5d88041eb789ddba10d28b79afa40325350f2833c67e655e5964d1c6

SHA512
84f75a40d426e93a0f337cbe216abc333c5da9556bb283a7a4aed7d2b4a27176ce439668069c71c69d0ace86a94f72512dc0eb2f56dd9a8930f004dd960133cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
fb87a8d964a90ae94c0be5de3d25bb01

SHA1
8ddada78923059a0373598495fe4efbb125e795c

SHA256
49b033d90c561256dbe38618a71c2b61d3872c0e0029ab30fc3f5a509105770f

SHA512
5488ccf896547a434902637f132e2a0b1522d3250497cb2b65208a6baf14aa2a5ac6e6ef27d25aa95405bf6c96aedb636d9376eb6e98cc6f88734ecc23342c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
fb87a8d964a90ae94c0be5de3d25bb01

SHA1
8ddada78923059a0373598495fe4efbb125e795c

SHA256
49b033d90c561256dbe38618a71c2b61d3872c0e0029ab30fc3f5a509105770f

SHA512
5488ccf896547a434902637f132e2a0b1522d3250497cb2b65208a6baf14aa2a5ac6e6ef27d25aa95405bf6c96aedb636d9376eb6e98cc6f88734ecc23342c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
e0d7a00d5d1d17d549330622d5efbc57

SHA1
e3abe1626a305c75b223bc17a9de9245290c1571

SHA256
aae3cdeedc940844c30f81a0df1c1da150fc890c604fc81f0f81da729831e51f

SHA512
8931fd7e2b00fe4fc3386eaaf8bfd0d30005e5fda3795d105a866505c83e3c5aca59725a5d8dd6369cc43a426920f6eab1f9fc62e40755ea7c905ec9d27464da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
e0d7a00d5d1d17d549330622d5efbc57

SHA1
e3abe1626a305c75b223bc17a9de9245290c1571

SHA256
aae3cdeedc940844c30f81a0df1c1da150fc890c604fc81f0f81da729831e51f

SHA512
8931fd7e2b00fe4fc3386eaaf8bfd0d30005e5fda3795d105a866505c83e3c5aca59725a5d8dd6369cc43a426920f6eab1f9fc62e40755ea7c905ec9d27464da

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
9718b9edbc4e0996efbf3c1c77db01d3

SHA1
79b318b42f976fc299901605a900481bbbf73ff1

SHA256
4c6e510216e3e299230ccab2c08ed9f66886d497fc07dc056477ea992ff3f49f

SHA512
9598c6629a2cec0537e73fba5415620c74867c6c23609c2d314ef4d3f1a36d62178533ace5a7c0c046a0f2eb2ab90d425131c454ce9500b6f8736b392d9de689

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ecd7365422db60cf4f55f3c6f4ed49bf

SHA1
e4b914e366e854fc076b0faa955d4f52ae6f840d

SHA256
77041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7

SHA512
a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ecd7365422db60cf4f55f3c6f4ed49bf

SHA1
e4b914e366e854fc076b0faa955d4f52ae6f840d

SHA256
77041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7

SHA512
a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
8c31c83e48506b080a64e20dbc0e81c2

SHA1
4549e58a9825e24afe44c10e1165ae7000770930

SHA256
4ba17e40cc585d6b31e0ed156c4cf801ac9fc492b3ccb604e307a0b59f193823

SHA512
ffce43bad9d935abff882a384e6a4ea3e9b579d22976fe28adc34ab269ee058a79c2a4ca3e530af9914700143df56d86743a26c2df531d813a7edb0b8ea71564

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
8c31c83e48506b080a64e20dbc0e81c2

SHA1
4549e58a9825e24afe44c10e1165ae7000770930

SHA256
4ba17e40cc585d6b31e0ed156c4cf801ac9fc492b3ccb604e307a0b59f193823

SHA512
ffce43bad9d935abff882a384e6a4ea3e9b579d22976fe28adc34ab269ee058a79c2a4ca3e530af9914700143df56d86743a26c2df531d813a7edb0b8ea71564

Download Submit
\??\pipe\LOCAL\crashpad_1444_RLYGWMXWTKDFADYU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2148-136-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/2148-135-0x00000000025C3000-0x00000000025E5000-memory.dmp

Filesize
136KB

Download
memory/2148-134-0x00000000025C3000-0x00000000025E5000-memory.dmp

Filesize
136KB

Download
memory/2148-180-0x0000000006BA0000-0x0000000007144000-memory.dmp

Filesize
5.6MB

Download
memory/2148-137-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2148-138-0x0000000071DAE000-0x0000000071DAF000-memory.dmp

Filesize
4KB

Download
memory/2148-139-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2148-191-0x0000000007190000-0x00000000077A8000-memory.dmp

Filesize
6.1MB

Download
memory/2148-196-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2148-151-0x0000000004393000-0x0000000004394000-memory.dmp

Filesize
4KB

Download
memory/2148-146-0x0000000004392000-0x0000000004393000-memory.dmp

Filesize
4KB

Download
memory/2464-197-0x00000000038E0000-0x00000000038F0000-memory.dmp

Filesize
64KB

Download
memory/3200-165-0x00007FFACC800000-0x00007FFACC801000-memory.dmp

Filesize
4KB

Download
memory/3524-144-0x0000000004BE1000-0x000000000501D000-memory.dmp

Filesize
4.2MB

Download
memory/3524-152-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3524-145-0x0000000005160000-0x0000000005A86000-memory.dmp

Filesize
9.1MB

Download
memory/3604-186-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3604-184-0x0000000002533000-0x0000000002543000-memory.dmp

Filesize
64KB

Download
memory/3604-185-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3604-176-0x0000000002533000-0x0000000002543000-memory.dmp

Filesize
64KB

Download
memory/4068-160-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download