Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 19:12
Static task
static1
Behavioral task
behavioral1
Sample
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Resource
win10v2004-20220414-en
General
-
Target
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
-
Size
599KB
-
MD5
fc749757fb4f8b8f4ba51ccd2e24d83e
-
SHA1
8e822fb513966cdddeab856cc865bd54e90acf2e
-
SHA256
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da
-
SHA512
ea0f927225cf27efd14baf59438516e89f1e5307a9a31fbe266f4b285ecd81b8106d85600595e7f684f2493156341106140a0f9442140beee7dbeb6700d2a273
Malware Config
Extracted
Protocol: smtp- Host:
mail.grefas.co.th - Port:
587 - Username:
[email protected] - Password:
Cream3040
Signatures
-
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
-
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
-
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x00070000000231c1-136.dat MailPassView behavioral2/files/0x00070000000231c1-137.dat MailPassView behavioral2/memory/3580-146-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/3580-147-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3580-149-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3580-150-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x00070000000231c1-136.dat WebBrowserPassView behavioral2/files/0x00070000000231c1-137.dat WebBrowserPassView behavioral2/memory/3524-171-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3524-173-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3524-174-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3524-176-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
resource yara_rule behavioral2/files/0x00070000000231c1-136.dat Nirsoft behavioral2/files/0x00070000000231c1-137.dat Nirsoft behavioral2/memory/3580-146-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3580-147-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3580-149-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3580-150-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3524-171-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3524-173-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3524-174-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3524-176-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
pid Process 1808 cse.sfx.exe 1956 cse.exe 4596 EBFile_1.exe 4540 ywniqieziql.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cse.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cse.sfx.exe -
Loads dropped DLL 4 IoCs
pid Process 4596 EBFile_1.exe 4596 EBFile_1.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run ywniqieziql.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run ywniqieziql.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mubiqusi = "C:\\Users\\Admin\\AppData\\Roaming\\Azalloavsife\\ywniqieziql.exe" ywniqieziql.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1956 set thread context of 3580 1956 cse.exe 86 PID 4596 set thread context of 4328 4596 EBFile_1.exe 88 PID 1956 set thread context of 3524 1956 cse.exe 90 PID 1956 set thread context of 3524 1956 cse.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Privacy 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1956 cse.exe 4596 EBFile_1.exe 4596 EBFile_1.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 3524 vbc.exe 3524 vbc.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe 4540 ywniqieziql.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1956 cse.exe Token: SeSecurityPrivilege 4596 EBFile_1.exe Token: SeSecurityPrivilege 4596 EBFile_1.exe Token: SeSecurityPrivilege 4596 EBFile_1.exe Token: SeSecurityPrivilege 4596 EBFile_1.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 2320 cmd.exe Token: SeSecurityPrivilege 2320 cmd.exe Token: SeSecurityPrivilege 1808 cse.sfx.exe Token: SeSecurityPrivilege 1808 cse.sfx.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1956 cse.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe Token: SeSecurityPrivilege 1956 cse.exe Token: SeSecurityPrivilege 4596 EBFile_1.exe Token: SeSecurityPrivilege 4596 EBFile_1.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4328 cmd.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4328 cmd.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe Token: SeSecurityPrivilege 4540 ywniqieziql.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1956 cse.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 2320 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe 79 PID 4480 wrote to memory of 2320 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe 79 PID 4480 wrote to memory of 2320 4480 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe 79 PID 2320 wrote to memory of 1808 2320 cmd.exe 81 PID 2320 wrote to memory of 1808 2320 cmd.exe 81 PID 2320 wrote to memory of 1808 2320 cmd.exe 81 PID 1808 wrote to memory of 1956 1808 cse.sfx.exe 82 PID 1808 wrote to memory of 1956 1808 cse.sfx.exe 82 PID 1808 wrote to memory of 1956 1808 cse.sfx.exe 82 PID 1956 wrote to memory of 4596 1956 cse.exe 85 PID 1956 wrote to memory of 4596 1956 cse.exe 85 PID 1956 wrote to memory of 4596 1956 cse.exe 85 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 1956 wrote to memory of 3580 1956 cse.exe 86 PID 4596 wrote to memory of 4540 4596 EBFile_1.exe 87 PID 4596 wrote to memory of 4540 4596 EBFile_1.exe 87 PID 4596 wrote to memory of 4540 4596 EBFile_1.exe 87 PID 4540 wrote to memory of 2664 4540 ywniqieziql.exe 57 PID 4540 wrote to memory of 2664 4540 ywniqieziql.exe 57 PID 4540 wrote to memory of 2664 4540 ywniqieziql.exe 57 PID 4540 wrote to memory of 2664 4540 ywniqieziql.exe 57 PID 4540 wrote to memory of 2664 4540 ywniqieziql.exe 57 PID 4540 wrote to memory of 2704 4540 ywniqieziql.exe 56 PID 4540 wrote to memory of 2704 4540 ywniqieziql.exe 56 PID 4540 wrote to memory of 2704 4540 ywniqieziql.exe 56 PID 4540 wrote to memory of 2704 4540 ywniqieziql.exe 56 PID 4540 wrote to memory of 2704 4540 ywniqieziql.exe 56 PID 4540 wrote to memory of 2904 4540 ywniqieziql.exe 50 PID 4540 wrote to memory of 2904 4540 ywniqieziql.exe 50 PID 4540 wrote to memory of 2904 4540 ywniqieziql.exe 50 PID 4540 wrote to memory of 2904 4540 ywniqieziql.exe 50 PID 4540 wrote to memory of 2904 4540 ywniqieziql.exe 50 PID 4540 wrote to memory of 3212 4540 ywniqieziql.exe 48 PID 4540 wrote to memory of 3212 4540 ywniqieziql.exe 48 PID 4540 wrote to memory of 3212 4540 ywniqieziql.exe 48 PID 4540 wrote to memory of 3212 4540 ywniqieziql.exe 48 PID 4540 wrote to memory of 3212 4540 ywniqieziql.exe 48 PID 4540 wrote to memory of 3308 4540 ywniqieziql.exe 47 PID 4540 wrote to memory of 3308 4540 ywniqieziql.exe 47 PID 4540 wrote to memory of 3308 4540 ywniqieziql.exe 47 PID 4540 wrote to memory of 3308 4540 ywniqieziql.exe 47 PID 4540 wrote to memory of 3308 4540 ywniqieziql.exe 47 PID 4540 wrote to memory of 3504 4540 ywniqieziql.exe 46 PID 4540 wrote to memory of 3504 4540 ywniqieziql.exe 46 PID 4540 wrote to memory of 3504 4540 ywniqieziql.exe 46 PID 4540 wrote to memory of 3504 4540 ywniqieziql.exe 46 PID 4540 wrote to memory of 3504 4540 ywniqieziql.exe 46 PID 4540 wrote to memory of 3620 4540 ywniqieziql.exe 45 PID 4540 wrote to memory of 3620 4540 ywniqieziql.exe 45 PID 4540 wrote to memory of 3620 4540 ywniqieziql.exe 45 PID 4540 wrote to memory of 3620 4540 ywniqieziql.exe 45 PID 4540 wrote to memory of 3620 4540 ywniqieziql.exe 45 PID 4540 wrote to memory of 3684 4540 ywniqieziql.exe 44 PID 4540 wrote to memory of 3684 4540 ywniqieziql.exe 44 PID 4540 wrote to memory of 3684 4540 ywniqieziql.exe 44 PID 4540 wrote to memory of 3684 4540 ywniqieziql.exe 44 PID 4540 wrote to memory of 3684 4540 ywniqieziql.exe 44
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:872
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3772
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3684
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3620
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3308
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe"C:\Users\Admin\AppData\Local\Temp\4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe"2⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\swe23ahgfr54d.bat" "3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2316
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cse.sfx.execse.sfx.exe -pnoi9uy76thwe -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Roaming\Azalloavsife\ywniqieziql.exe"C:\Users\Admin\AppData\Roaming\Azalloavsife\ywniqieziql.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0e370375.bat"7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Accesses Microsoft Outlook accounts
PID:3580
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524
-
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2704
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
264KB
MD5e41feeacb6ce35f13e4844011483fefa
SHA1489321121671461adfa36efe47620819bba21a01
SHA25647aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350
SHA512f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
548KB
MD52f1eae297fdf4ea274aaea87674ad59f
SHA1e5262ad423771b913ec91950c2425f306af8e4c8
SHA256bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f
SHA51218670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508
-
Filesize
35B
MD541311c4d45324cc6020f12da32203575
SHA16a7f49c8b2287b7693d986b49b383864f24f1496
SHA2564787a1f4536ec8038f6f870855ceca45ef730c0929fd84ec5b93dad9494ab27c
SHA51247bf7e15e8b4e1e90ccfddc742975de540e88db5a4002c35bbedb7d5a780e8dddce473be357af0e63b582807f6f84b92a2d72df41efa524388e079640328b65f
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
1.2MB
MD521b41538c594d917da5331d9272c2b84
SHA192ebd4081ecc6eed903780db360b27f22d60402f
SHA25696a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833
SHA51263a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
195B
MD5ccdd82912c1cc7c3f39b444a5a4157ef
SHA1093d0e27b1b071decdbb15eb7b214abca86625c1
SHA2569228a44c2e9a6cec0d7a555df382ce5e8027d9296affc5041754ebeb1865b62b
SHA512d41e7eefa26890b7f106540b63e3f06de5b8d36dde4cc546fca77c0ad9992163114291357ad2e72f96d00760d99598d9ae08049333b68d7f17eb428352594f64
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
Filesize
264KB
MD583c9a10f5e54956914da038b5ec0a24b
SHA1cd24120500efc1cb8fcb702826a3d92028559e00
SHA25695ad987ec147d20408bea40f892f555bc109c2e82b225dccd4b77a35a07d60ed
SHA51252a0821b4b98735cc9d5b20396a3ca663f2122807bc50f91b83057f1fc098836691137de9342bbea0847df61bde9c950b0f4520acb8bd05cba85e7e11a3db2cd
-
Filesize
264KB
MD583c9a10f5e54956914da038b5ec0a24b
SHA1cd24120500efc1cb8fcb702826a3d92028559e00
SHA25695ad987ec147d20408bea40f892f555bc109c2e82b225dccd4b77a35a07d60ed
SHA51252a0821b4b98735cc9d5b20396a3ca663f2122807bc50f91b83057f1fc098836691137de9342bbea0847df61bde9c950b0f4520acb8bd05cba85e7e11a3db2cd
-
Filesize
3KB
MD5e30cc79f0e2474a6a0328214b3038f69
SHA1303cb7598a6f199c07ea9ea95b6cfc5d379c05c4
SHA256e415af2d51f779e0e11a16be482f53c6a5dfe6ceada905f8e4f3bdf5d686a420
SHA5123ced62c160f3a6a56b4c529aef30c7b8b2dd0db2e948dc198134692610b56683eb6fc94c36ebee7dbc22f185ecd8110db34d30f03af2b52467c28dca261c93b0