arkei | 18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2022 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Size

4.7MB
MD5

fc133ce298306a3e8c6443b64d1bf303
SHA1

774ee564f6ae6ce7d0f75e5062b2fa88b00df5da
SHA256

18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a
SHA512

7c4689555eefef79a67b8dd950104755df63f17b50112b266306bafcabdf4e81d5403b61e8074decae9dfbdd1b4ce1d48fefabc8aa1e6f224f2b1c86e070a917

Score

10^/10

arkei default discovery persistence spyware stealer suricata

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe

Loads dropped DLL 10 IoCs

pid	Process
1284	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
1284	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2224	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2224	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
4688	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
4688	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2784	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2784	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
1648	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
1648	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\yWExaiQG.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\yWExaiQG.exe"	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\yWExaiQG.exe	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
File created	C:\Windows\SysWOW64\yWExaiQG.exe	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 set thread context of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 set thread context of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 set thread context of 4688	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	95
PID 2612 set thread context of 2784	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	99
PID 2612 set thread context of 1648	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	103

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
1460	timeout.exe
408	timeout.exe
4760	timeout.exe
1852	timeout.exe
2040	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
Token: SeRestorePrivilege	1780	dw20.exe
Token: SeBackupPrivilege	1780	dw20.exe
Token: SeBackupPrivilege	1780	dw20.exe
Token: SeBackupPrivilege	1780	dw20.exe
Token: SeBackupPrivilege	1780	dw20.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3424	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	77
PID 2612 wrote to memory of 3424	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	77
PID 2612 wrote to memory of 3424	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	77
PID 3424 wrote to memory of 3996	3424	csc.exe	79
PID 3424 wrote to memory of 3996	3424	csc.exe	79
PID 3424 wrote to memory of 3996	3424	csc.exe	79
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 1284	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	80
PID 2612 wrote to memory of 4200	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	81
PID 2612 wrote to memory of 4200	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	81
PID 2612 wrote to memory of 4200	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	81
PID 2612 wrote to memory of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 wrote to memory of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 wrote to memory of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 wrote to memory of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 wrote to memory of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 wrote to memory of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 wrote to memory of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 wrote to memory of 2720	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	82
PID 2612 wrote to memory of 4592	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	83
PID 2612 wrote to memory of 4592	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	83
PID 2612 wrote to memory of 4592	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	83
PID 2720 wrote to memory of 1780	2720	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	85
PID 2720 wrote to memory of 1780	2720	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	85
PID 2720 wrote to memory of 1780	2720	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	85
PID 4592 wrote to memory of 4964	4592	cmd.exe	86
PID 4592 wrote to memory of 4964	4592	cmd.exe	86
PID 4592 wrote to memory of 4964	4592	cmd.exe	86
PID 1284 wrote to memory of 4956	1284	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	88
PID 1284 wrote to memory of 4956	1284	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	88
PID 1284 wrote to memory of 4956	1284	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	88
PID 4956 wrote to memory of 1460	4956	cmd.exe	90
PID 4956 wrote to memory of 1460	4956	cmd.exe	90
PID 4956 wrote to memory of 1460	4956	cmd.exe	90
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2612 wrote to memory of 2224	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	91
PID 2224 wrote to memory of 3472	2224	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	92
PID 2224 wrote to memory of 3472	2224	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	92
PID 2224 wrote to memory of 3472	2224	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	92
PID 3472 wrote to memory of 408	3472	cmd.exe	94
PID 3472 wrote to memory of 408	3472	cmd.exe	94
PID 3472 wrote to memory of 408	3472	cmd.exe	94
PID 2612 wrote to memory of 4688	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	95
PID 2612 wrote to memory of 4688	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	95
PID 2612 wrote to memory of 4688	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	95
PID 2612 wrote to memory of 4688	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	95
PID 2612 wrote to memory of 4688	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	95
PID 2612 wrote to memory of 4688	2612	18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe	95

C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
"C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z9g_i4yw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA406.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3F5.tmp"
    3⤵
    PID:3996
- C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
  "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1460
- C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
  "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe"
  2⤵
  PID:4200
- C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
  "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 776
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "explorer" /t REG_SZ /d "C:\Windows\system32\yWExaiQG.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "explorer" /t REG_SZ /d "C:\Windows\system32\yWExaiQG.exe
    3⤵
    - Adds Run key to start application
    PID:4964
- C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
  "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:408
- C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
  "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe" & exit
    3⤵
    PID:4052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:4760
- C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
  "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe" & exit
    3⤵
    PID:5108
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1852
- C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe
  "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\18a0c8d80b21635c34073b6bfc676f999739c5c65ec35b53612b737f1ce9182a.exe" & exit
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA406.tmp

Filesize
1KB

MD5
f5d07f2ad1b5dd316c0947058e75ac72

SHA1
14d43b4a4c7f424b4a1498433ae2b26bef96c6ea

SHA256
ebc3b6c723748bedcc41c9248c905fe86f71a14526d60d793ebf35c173373374

SHA512
dacd1bfc061261cb53a4140686a1c38cdf61485bb2bfc61be25d815dfe565c3902ef7fcf75cb2c0a93cfcfbb53b31a7b7aa65161e8513d2494cb18b2e3da1fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9g_i4yw.dll

Filesize
9.3MB

MD5
517e8edf35b9e79cef453b8755c644d6

SHA1
f82216f3f31651c19e1083c220bb27d285fdaf98

SHA256
c23c247f9f9830956fe65f04f78da4920b228c5d63bddecca8b10b1768a601d0

SHA512
82365d58cd7092c971ee661c3c9bb02c61517ecc3bcaff3ee582ac2110c91c0036f48fceba55a5180d1950663e1c1442160fa724591cb365959d67b54c17acbe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA3F5.tmp

Filesize
652B

MD5
db11944afceb1ebf5ec99486be2fe906

SHA1
102a746ba047edcb92033148dd63fdb697a745a2

SHA256
4b29c2e990c16964800112580cba2da6ddee5fd39eb15bff4e7f7037835039ad

SHA512
0c1228f9f273e45a6f02e639517ba81e793af47131959d895b25ab75d79a2552992b8933c599c2b362a000eeba17842511d36ce4f08a1505b4b1317cd0d774a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp9C73.tmp.txt

Filesize
4.7MB

MD5
51ebb7a4e323a95de7274867baa9f29d

SHA1
e8020abf1e404020cfa2a2079c47d24d4e4f48be

SHA256
24ef1ca05d32b4253a07e0857e9cd81915e4dccab0b7e7f6cce000e88417c34a

SHA512
6a0b4fc6f4c0db58a314403115f7e079882fb2d20ac35699fd32679471608def8f71268286c739923afb782264f1748df6e85c1a1a12c4686d275f11ceebd1dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z9g_i4yw.cmdline

Filesize
196B

MD5
a5e818803144b1afb3123b05ed74710d

SHA1
c508ddca02f7d1cee39fa92af3b73cac612be489

SHA256
1d7237e2ecb841acae62516aa6a3ad595505d38e03b7c668af7104ba1d2e0d5f

SHA512
b65b8e1dfd4c6dc3204a182eb95f5f1f6c9a7a6da6b1904994f4139f4f53663785ed068998b76208317c4d138ca4090a25e7fef72bdc7fc7862ce17842c97eb0

Download Submit
memory/1284-180-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-142-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-146-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-158-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1284-141-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1648-293-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1648-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2224-191-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2224-214-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2612-130-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2612-157-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2720-150-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/2720-149-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/2720-148-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/2720-156-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2784-259-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2784-282-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4688-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4688-225-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download