Analysis
-
max time kernel
153s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 13:10
Static task
static1
Behavioral task
behavioral1
Sample
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Resource
win10v2004-20220414-en
General
-
Target
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
-
Size
599KB
-
MD5
fc749757fb4f8b8f4ba51ccd2e24d83e
-
SHA1
8e822fb513966cdddeab856cc865bd54e90acf2e
-
SHA256
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da
-
SHA512
ea0f927225cf27efd14baf59438516e89f1e5307a9a31fbe266f4b285ecd81b8106d85600595e7f684f2493156341106140a0f9442140beee7dbeb6700d2a273
Malware Config
Extracted
Protocol: smtp- Host:
mail.grefas.co.th - Port:
587 - Username:
[email protected] - Password:
Cream3040
Signatures
-
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
-
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
-
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe MailPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe MailPassView behavioral2/memory/4976-145-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4976-146-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4976-148-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4976-149-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe WebBrowserPassView behavioral2/memory/4340-151-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4340-152-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4340-154-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4340-155-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4340-160-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4340-167-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe Nirsoft behavioral2/memory/4976-145-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4976-146-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4976-148-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4976-149-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4340-151-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4340-152-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4340-154-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4340-155-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4340-160-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4340-167-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
cse.sfx.execse.exeEBFile_1.exeebybomuvyz.exepid process 4584 cse.sfx.exe 4168 cse.exe 2480 EBFile_1.exe 832 ebybomuvyz.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.execse.sfx.execse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cse.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cse.exe -
Loads dropped DLL 4 IoCs
Processes:
EBFile_1.exeebybomuvyz.exepid process 2480 EBFile_1.exe 2480 EBFile_1.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ebybomuvyz.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run ebybomuvyz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run ebybomuvyz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nyonhozo = "C:\\Users\\Admin\\AppData\\Roaming\\Niykekuliwq\\ebybomuvyz.exe" ebybomuvyz.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
cse.exeEBFile_1.exedescription pid process target process PID 4168 set thread context of 4976 4168 cse.exe vbc.exe PID 4168 set thread context of 4340 4168 cse.exe vbc.exe PID 2480 set thread context of 1964 2480 EBFile_1.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Privacy 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
cse.exeEBFile_1.exevbc.exeebybomuvyz.exepid process 4168 cse.exe 2480 EBFile_1.exe 2480 EBFile_1.exe 4340 vbc.exe 4340 vbc.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe 832 ebybomuvyz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
cse.exeEBFile_1.exe4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.execmd.execse.sfx.exeebybomuvyz.execmd.exedescription pid process Token: SeDebugPrivilege 4168 cse.exe Token: SeSecurityPrivilege 2480 EBFile_1.exe Token: SeSecurityPrivilege 2480 EBFile_1.exe Token: SeSecurityPrivilege 2480 EBFile_1.exe Token: SeSecurityPrivilege 2480 EBFile_1.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 992 cmd.exe Token: SeSecurityPrivilege 992 cmd.exe Token: SeSecurityPrivilege 4584 cse.sfx.exe Token: SeSecurityPrivilege 4584 cse.sfx.exe Token: SeSecurityPrivilege 4168 cse.exe Token: SeSecurityPrivilege 4168 cse.exe Token: SeSecurityPrivilege 2480 EBFile_1.exe Token: SeSecurityPrivilege 2480 EBFile_1.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1964 cmd.exe Token: SeSecurityPrivilege 1964 cmd.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe Token: SeSecurityPrivilege 832 ebybomuvyz.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cse.exepid process 4168 cse.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.execmd.execse.sfx.execse.exeEBFile_1.exeebybomuvyz.exedescription pid process target process PID 1436 wrote to memory of 992 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe cmd.exe PID 1436 wrote to memory of 992 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe cmd.exe PID 1436 wrote to memory of 992 1436 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe cmd.exe PID 992 wrote to memory of 4584 992 cmd.exe cse.sfx.exe PID 992 wrote to memory of 4584 992 cmd.exe cse.sfx.exe PID 992 wrote to memory of 4584 992 cmd.exe cse.sfx.exe PID 4584 wrote to memory of 4168 4584 cse.sfx.exe cse.exe PID 4584 wrote to memory of 4168 4584 cse.sfx.exe cse.exe PID 4584 wrote to memory of 4168 4584 cse.sfx.exe cse.exe PID 4168 wrote to memory of 2480 4168 cse.exe EBFile_1.exe PID 4168 wrote to memory of 2480 4168 cse.exe EBFile_1.exe PID 4168 wrote to memory of 2480 4168 cse.exe EBFile_1.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4976 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 4168 wrote to memory of 4340 4168 cse.exe vbc.exe PID 2480 wrote to memory of 832 2480 EBFile_1.exe ebybomuvyz.exe PID 2480 wrote to memory of 832 2480 EBFile_1.exe ebybomuvyz.exe PID 2480 wrote to memory of 832 2480 EBFile_1.exe ebybomuvyz.exe PID 832 wrote to memory of 2700 832 ebybomuvyz.exe sihost.exe PID 832 wrote to memory of 2700 832 ebybomuvyz.exe sihost.exe PID 832 wrote to memory of 2700 832 ebybomuvyz.exe sihost.exe PID 832 wrote to memory of 2700 832 ebybomuvyz.exe sihost.exe PID 832 wrote to memory of 2700 832 ebybomuvyz.exe sihost.exe PID 832 wrote to memory of 2732 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 2732 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 2732 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 2732 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 2732 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 2824 832 ebybomuvyz.exe taskhostw.exe PID 832 wrote to memory of 2824 832 ebybomuvyz.exe taskhostw.exe PID 832 wrote to memory of 2824 832 ebybomuvyz.exe taskhostw.exe PID 832 wrote to memory of 2824 832 ebybomuvyz.exe taskhostw.exe PID 832 wrote to memory of 2824 832 ebybomuvyz.exe taskhostw.exe PID 832 wrote to memory of 3272 832 ebybomuvyz.exe Explorer.EXE PID 832 wrote to memory of 3272 832 ebybomuvyz.exe Explorer.EXE PID 832 wrote to memory of 3272 832 ebybomuvyz.exe Explorer.EXE PID 832 wrote to memory of 3272 832 ebybomuvyz.exe Explorer.EXE PID 832 wrote to memory of 3272 832 ebybomuvyz.exe Explorer.EXE PID 832 wrote to memory of 3372 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 3372 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 3372 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 3372 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 3372 832 ebybomuvyz.exe svchost.exe PID 832 wrote to memory of 3560 832 ebybomuvyz.exe DllHost.exe PID 832 wrote to memory of 3560 832 ebybomuvyz.exe DllHost.exe PID 832 wrote to memory of 3560 832 ebybomuvyz.exe DllHost.exe PID 832 wrote to memory of 3560 832 ebybomuvyz.exe DllHost.exe PID 832 wrote to memory of 3560 832 ebybomuvyz.exe DllHost.exe PID 832 wrote to memory of 3664 832 ebybomuvyz.exe StartMenuExperienceHost.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe"C:\Users\Admin\AppData\Local\Temp\4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe"2⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\swe23ahgfr54d.bat" "3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cse.sfx.execse.sfx.exe -pnoi9uy76thwe -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Niykekuliwq\ebybomuvyz.exe"C:\Users\Admin\AppData\Roaming\Niykekuliwq\ebybomuvyz.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0dbb2802.bat"7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exeFilesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exeFilesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cse.sfx.exeFilesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cse.sfx.exeFilesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\swe23ahgfr54d.batFilesize
35B
MD541311c4d45324cc6020f12da32203575
SHA16a7f49c8b2287b7693d986b49b383864f24f1496
SHA2564787a1f4536ec8038f6f870855ceca45ef730c0929fd84ec5b93dad9494ab27c
SHA51247bf7e15e8b4e1e90ccfddc742975de540e88db5a4002c35bbedb7d5a780e8dddce473be357af0e63b582807f6f84b92a2d72df41efa524388e079640328b65f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exeFilesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exeFilesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\tmp0dbb2802.batFilesize
195B
MD553c9045f650cd1d7acd1e2060215aeff
SHA1ba0a2d1e9411b443d17109f81291b450a82b40f5
SHA256acc020f4f8b589f76e0f3a2c956861936740b4a0ea56357394b8caa43484b7a8
SHA5120c73b807117cf16c217322aabdf04cbcdb7a0d92b94bd09e6bb95d9bdfdf2b0be46a70c61c87385fa51b0ea6e133b0524362ff3c189c88e85edee593f0f43d09
-
C:\Users\Admin\AppData\Local\Temp\tmp1F7A.tmpFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\tmp2566.tmpFilesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
C:\Users\Admin\AppData\Local\Temp\tmp6D0D.tmpFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\tmp83A3.tmpFilesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
C:\Users\Admin\AppData\Roaming\Ebqoubdiodov\alneegahenk.uvrFilesize
3KB
MD5955d3a69d37fc73f98065db613464401
SHA173f7a1618bdef77f8486cc49603fe7556c320311
SHA256af33e8abc5fa1fc409175f62767d1351ce8e0b0ac0f58dd9823584a265d5659a
SHA512e0d2386c5560910a458e73be5b449eccc3c88a7c9eae03371e0707c6519d3978445a961e841389731607ec59d4ca77f2793173185be02269645b0ccb00dccef2
-
C:\Users\Admin\AppData\Roaming\Ebqoubdiodov\alneegahenk.uvrFilesize
3KB
MD5e88cc153c0803970086bebabf2bb2916
SHA147990988fe762f5ef1478a81312eef05f6c742f0
SHA256b7cee732715c5251770de6d30c118a40e1288938c732d38303fbfcdb1a641c14
SHA51276fb71221ff3812218867360b018370ac100c925f9ac781997221d010ab6389dea631077b86c1b0ea2e53cd5c78c85051bb5bd74c39224eec518d4e3e4f3e2b6
-
C:\Users\Admin\AppData\Roaming\Niykekuliwq\ebybomuvyz.exeFilesize
264KB
MD5e6f242289719cf724976b1ddf2b4a240
SHA1400a665ef6f45747a1bba10391c6f4253ee719d0
SHA2567a18be67250702560cfc98125827f3fb114d18eace0cb1d5a6378bcf0e2cfafb
SHA51262f6005d119649e038ebee8fe673e7e50557c6cffbdd4a83acfbf59c464131af5e424e72012d1da73cd170c61e10038c8a8b0e2bb1b5ca97488be5bd2c1a756f
-
C:\Users\Admin\AppData\Roaming\Niykekuliwq\ebybomuvyz.exeFilesize
264KB
MD5e6f242289719cf724976b1ddf2b4a240
SHA1400a665ef6f45747a1bba10391c6f4253ee719d0
SHA2567a18be67250702560cfc98125827f3fb114d18eace0cb1d5a6378bcf0e2cfafb
SHA51262f6005d119649e038ebee8fe673e7e50557c6cffbdd4a83acfbf59c464131af5e424e72012d1da73cd170c61e10038c8a8b0e2bb1b5ca97488be5bd2c1a756f
-
memory/832-157-0x0000000000000000-mapping.dmp
-
memory/992-130-0x0000000000000000-mapping.dmp
-
memory/992-175-0x0000000000DD0000-0x0000000000E17000-memory.dmpFilesize
284KB
-
memory/1436-165-0x0000000000430000-0x0000000000477000-memory.dmpFilesize
284KB
-
memory/1436-178-0x0000000000430000-0x0000000000477000-memory.dmpFilesize
284KB
-
memory/1964-170-0x0000000000730000-0x0000000000777000-memory.dmpFilesize
284KB
-
memory/1964-168-0x0000000000000000-mapping.dmp
-
memory/1964-174-0x0000000000730000-0x0000000000777000-memory.dmpFilesize
284KB
-
memory/2480-140-0x0000000000000000-mapping.dmp
-
memory/2480-144-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/2480-171-0x00000000022A0000-0x00000000022E7000-memory.dmpFilesize
284KB
-
memory/2480-143-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/4168-139-0x00000000733F0000-0x00000000739A1000-memory.dmpFilesize
5.7MB
-
memory/4168-177-0x0000000005530000-0x0000000005577000-memory.dmpFilesize
284KB
-
memory/4168-135-0x0000000000000000-mapping.dmp
-
memory/4168-138-0x00000000733F0000-0x00000000739A1000-memory.dmpFilesize
5.7MB
-
memory/4340-155-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4340-152-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4340-167-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4340-151-0x0000000000000000-mapping.dmp
-
memory/4340-154-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4340-160-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4584-132-0x0000000000000000-mapping.dmp
-
memory/4584-176-0x00000000005A0000-0x00000000005E7000-memory.dmpFilesize
284KB
-
memory/4976-145-0x0000000000000000-mapping.dmp
-
memory/4976-146-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4976-148-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4976-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB