Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-07-2022 19:12
Static task
static1
Behavioral task
behavioral1
Sample
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Resource
win10v2004-20220414-en
General
-
Target
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
-
Size
599KB
-
MD5
fc749757fb4f8b8f4ba51ccd2e24d83e
-
SHA1
8e822fb513966cdddeab856cc865bd54e90acf2e
-
SHA256
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da
-
SHA512
ea0f927225cf27efd14baf59438516e89f1e5307a9a31fbe266f4b285ecd81b8106d85600595e7f684f2493156341106140a0f9442140beee7dbeb6700d2a273
Malware Config
Extracted
Protocol: smtp- Host:
mail.grefas.co.th - Port:
587 - Username:
[email protected] - Password:
Cream3040
Signatures
-
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
-
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
-
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
-
NirSoft MailPassView 18 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/files/0x0008000000012718-62.dat MailPassView behavioral1/files/0x0008000000012718-64.dat MailPassView behavioral1/files/0x0008000000012718-65.dat MailPassView behavioral1/memory/1200-74-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1200-73-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1200-77-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1200-78-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1200-80-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/files/0x0008000000012718-95.dat MailPassView behavioral1/files/0x0008000000012718-94.dat MailPassView behavioral1/files/0x0008000000012718-93.dat MailPassView behavioral1/files/0x0008000000012718-92.dat MailPassView behavioral1/files/0x0008000000012718-111.dat MailPassView behavioral1/files/0x0008000000012718-110.dat MailPassView behavioral1/files/0x0008000000012718-109.dat MailPassView behavioral1/files/0x0008000000012718-108.dat MailPassView behavioral1/files/0x0008000000012718-239.dat MailPassView behavioral1/files/0x0008000000012718-238.dat MailPassView -
NirSoft WebBrowserPassView 17 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0008000000012718-62.dat WebBrowserPassView behavioral1/files/0x0008000000012718-64.dat WebBrowserPassView behavioral1/files/0x0008000000012718-65.dat WebBrowserPassView behavioral1/memory/1688-82-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1688-85-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1688-81-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1688-87-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/files/0x0008000000012718-95.dat WebBrowserPassView behavioral1/files/0x0008000000012718-94.dat WebBrowserPassView behavioral1/files/0x0008000000012718-93.dat WebBrowserPassView behavioral1/files/0x0008000000012718-92.dat WebBrowserPassView behavioral1/files/0x0008000000012718-111.dat WebBrowserPassView behavioral1/files/0x0008000000012718-110.dat WebBrowserPassView behavioral1/files/0x0008000000012718-109.dat WebBrowserPassView behavioral1/files/0x0008000000012718-108.dat WebBrowserPassView behavioral1/files/0x0008000000012718-239.dat WebBrowserPassView behavioral1/files/0x0008000000012718-238.dat WebBrowserPassView -
Nirsoft 22 IoCs
resource yara_rule behavioral1/files/0x0008000000012718-62.dat Nirsoft behavioral1/files/0x0008000000012718-64.dat Nirsoft behavioral1/files/0x0008000000012718-65.dat Nirsoft behavioral1/memory/1200-74-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1200-73-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1200-77-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1200-78-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1200-80-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1688-82-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1688-85-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1688-81-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1688-87-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/files/0x0008000000012718-95.dat Nirsoft behavioral1/files/0x0008000000012718-94.dat Nirsoft behavioral1/files/0x0008000000012718-93.dat Nirsoft behavioral1/files/0x0008000000012718-92.dat Nirsoft behavioral1/files/0x0008000000012718-111.dat Nirsoft behavioral1/files/0x0008000000012718-110.dat Nirsoft behavioral1/files/0x0008000000012718-109.dat Nirsoft behavioral1/files/0x0008000000012718-108.dat Nirsoft behavioral1/files/0x0008000000012718-239.dat Nirsoft behavioral1/files/0x0008000000012718-238.dat Nirsoft -
Executes dropped EXE 4 IoCs
pid Process 1732 cse.sfx.exe 2036 cse.exe 1484 EBFile_1.exe 1992 peoqfyyv.exe -
Loads dropped DLL 28 IoCs
pid Process 1108 cmd.exe 1732 cse.sfx.exe 2036 cse.exe 2036 cse.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1484 EBFile_1.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run peoqfyyv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Currentversion\Run peoqfyyv.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yhxyyhzae = "C:\\Users\\Admin\\AppData\\Roaming\\Wyzeywky\\peoqfyyv.exe" peoqfyyv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 whatismyipaddress.com 6 whatismyipaddress.com 3 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2036 set thread context of 1200 2036 cse.exe 33 PID 2036 set thread context of 1688 2036 cse.exe 34 PID 1484 set thread context of 1464 1484 EBFile_1.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Privacy 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\74BC6384-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2036 cse.exe 1484 EBFile_1.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe 1992 peoqfyyv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2036 cse.exe Token: SeSecurityPrivilege 1484 EBFile_1.exe Token: SeSecurityPrivilege 1484 EBFile_1.exe Token: SeSecurityPrivilege 1484 EBFile_1.exe Token: SeSecurityPrivilege 1484 EBFile_1.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeManageVolumePrivilege 1564 WinMail.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1108 cmd.exe Token: SeSecurityPrivilege 1108 cmd.exe Token: SeSecurityPrivilege 1732 cse.sfx.exe Token: SeSecurityPrivilege 1732 cse.sfx.exe Token: SeSecurityPrivilege 2036 cse.exe Token: SeSecurityPrivilege 2036 cse.exe Token: SeSecurityPrivilege 1484 EBFile_1.exe Token: SeSecurityPrivilege 1484 EBFile_1.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1464 cmd.exe Token: SeSecurityPrivilege 1464 cmd.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe Token: SeSecurityPrivilege 1992 peoqfyyv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1564 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1564 WinMail.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2036 cse.exe 1564 WinMail.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 860 wrote to memory of 1108 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe 27 PID 860 wrote to memory of 1108 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe 27 PID 860 wrote to memory of 1108 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe 27 PID 860 wrote to memory of 1108 860 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe 27 PID 1108 wrote to memory of 1732 1108 cmd.exe 29 PID 1108 wrote to memory of 1732 1108 cmd.exe 29 PID 1108 wrote to memory of 1732 1108 cmd.exe 29 PID 1108 wrote to memory of 1732 1108 cmd.exe 29 PID 1732 wrote to memory of 2036 1732 cse.sfx.exe 30 PID 1732 wrote to memory of 2036 1732 cse.sfx.exe 30 PID 1732 wrote to memory of 2036 1732 cse.sfx.exe 30 PID 1732 wrote to memory of 2036 1732 cse.sfx.exe 30 PID 2036 wrote to memory of 1484 2036 cse.exe 32 PID 2036 wrote to memory of 1484 2036 cse.exe 32 PID 2036 wrote to memory of 1484 2036 cse.exe 32 PID 2036 wrote to memory of 1484 2036 cse.exe 32 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1200 2036 cse.exe 33 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 2036 wrote to memory of 1688 2036 cse.exe 34 PID 1484 wrote to memory of 1992 1484 EBFile_1.exe 36 PID 1484 wrote to memory of 1992 1484 EBFile_1.exe 36 PID 1484 wrote to memory of 1992 1484 EBFile_1.exe 36 PID 1484 wrote to memory of 1992 1484 EBFile_1.exe 36 PID 1992 wrote to memory of 1248 1992 peoqfyyv.exe 17 PID 1992 wrote to memory of 1248 1992 peoqfyyv.exe 17 PID 1992 wrote to memory of 1248 1992 peoqfyyv.exe 17 PID 1992 wrote to memory of 1248 1992 peoqfyyv.exe 17 PID 1992 wrote to memory of 1248 1992 peoqfyyv.exe 17 PID 1992 wrote to memory of 1328 1992 peoqfyyv.exe 16 PID 1992 wrote to memory of 1328 1992 peoqfyyv.exe 16 PID 1992 wrote to memory of 1328 1992 peoqfyyv.exe 16 PID 1992 wrote to memory of 1328 1992 peoqfyyv.exe 16 PID 1992 wrote to memory of 1328 1992 peoqfyyv.exe 16 PID 1992 wrote to memory of 1392 1992 peoqfyyv.exe 15 PID 1992 wrote to memory of 1392 1992 peoqfyyv.exe 15 PID 1992 wrote to memory of 1392 1992 peoqfyyv.exe 15 PID 1992 wrote to memory of 1392 1992 peoqfyyv.exe 15 PID 1992 wrote to memory of 1392 1992 peoqfyyv.exe 15 PID 1992 wrote to memory of 860 1992 peoqfyyv.exe 26 PID 1992 wrote to memory of 860 1992 peoqfyyv.exe 26 PID 1992 wrote to memory of 860 1992 peoqfyyv.exe 26 PID 1992 wrote to memory of 860 1992 peoqfyyv.exe 26 PID 1992 wrote to memory of 860 1992 peoqfyyv.exe 26 PID 1992 wrote to memory of 1108 1992 peoqfyyv.exe 27 PID 1992 wrote to memory of 1108 1992 peoqfyyv.exe 27 PID 1992 wrote to memory of 1108 1992 peoqfyyv.exe 27 PID 1992 wrote to memory of 1108 1992 peoqfyyv.exe 27
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe"C:\Users\Admin\AppData\Local\Temp\4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\swe23ahgfr54d.bat" "3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cse.sfx.execse.sfx.exe -pnoi9uy76thwe -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Roaming\Wyzeywky\peoqfyyv.exe"C:\Users\Admin\AppData\Roaming\Wyzeywky\peoqfyyv.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe454c486.bat"7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Accesses Microsoft Outlook accounts
PID:1200
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"6⤵PID:1688
-
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1328
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1248
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-570144825-1992790364-19711452327204422851435801637726270130-938617710504722718"1⤵PID:1128
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1608
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
35B
MD541311c4d45324cc6020f12da32203575
SHA16a7f49c8b2287b7693d986b49b383864f24f1496
SHA2564787a1f4536ec8038f6f870855ceca45ef730c0929fd84ec5b93dad9494ab27c
SHA51247bf7e15e8b4e1e90ccfddc742975de540e88db5a4002c35bbedb7d5a780e8dddce473be357af0e63b582807f6f84b92a2d72df41efa524388e079640328b65f
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
195B
MD54a3cbe73a5ef263666979c8da6a0d042
SHA1041b3084eb0277967f34b3d15871c017e3498946
SHA256e37ed6f5416dbb0fd457fd4317649e906c4ad292b261bccfc2577ef29752c255
SHA5125e970216a3d9ff10d9be5f8609df212e39308b5d48ab0aad7748ba8fc4cf64f3606bd808c970752026cc06565b268fbf42d63bad126c3b1482db7c513b886412
-
Filesize
4KB
MD59c05efdd9b7c731a4cced8bf6f6ca373
SHA1e3a4f1f413089e73744599be2a7260c8e2c562d1
SHA256a43d3c5f79115c53aedbd896b4e615d913234f9d3f7da4e49cbcbbaeb6980150
SHA51281ab342abd5b50f35501dd3f5c154fab509c2ed0337675f86997d4130336f4cb2d6cd1630b7ac3e4b37d7df940d323a36c3003e381da91a0800bdba1945e840a
-
Filesize
264KB
MD523a070ad83b3f600324e7d632185629d
SHA13d64920e9583e501d8898bc39ead20abc0d08f48
SHA256109dd3334eea4e6254a954b747cd11d33f0b960167f133207b174c11b7dfb27f
SHA512a3b65537f0b206ef8b6fffc1bc96e2ed71f89ca6e05ec7607208f2a977e7974e248a366e683c2628998dd39fee6fead3bbdd05fa98c887dbd5acc77448ee82b1
-
Filesize
264KB
MD523a070ad83b3f600324e7d632185629d
SHA13d64920e9583e501d8898bc39ead20abc0d08f48
SHA256109dd3334eea4e6254a954b747cd11d33f0b960167f133207b174c11b7dfb27f
SHA512a3b65537f0b206ef8b6fffc1bc96e2ed71f89ca6e05ec7607208f2a977e7974e248a366e683c2628998dd39fee6fead3bbdd05fa98c887dbd5acc77448ee82b1
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
Filesize
264KB
MD523a070ad83b3f600324e7d632185629d
SHA13d64920e9583e501d8898bc39ead20abc0d08f48
SHA256109dd3334eea4e6254a954b747cd11d33f0b960167f133207b174c11b7dfb27f
SHA512a3b65537f0b206ef8b6fffc1bc96e2ed71f89ca6e05ec7607208f2a977e7974e248a366e683c2628998dd39fee6fead3bbdd05fa98c887dbd5acc77448ee82b1
-
Filesize
264KB
MD523a070ad83b3f600324e7d632185629d
SHA13d64920e9583e501d8898bc39ead20abc0d08f48
SHA256109dd3334eea4e6254a954b747cd11d33f0b960167f133207b174c11b7dfb27f
SHA512a3b65537f0b206ef8b6fffc1bc96e2ed71f89ca6e05ec7607208f2a977e7974e248a366e683c2628998dd39fee6fead3bbdd05fa98c887dbd5acc77448ee82b1