Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 05:26
Static task
static1
Behavioral task
behavioral1
Sample
Image_Of_Victim.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Image_Of_Victim.exe
Resource
win10v2004-20220812-en
General
-
Target
Image_Of_Victim.exe
-
Size
1.9MB
-
MD5
f1878e41af327064496e57f50d35395d
-
SHA1
b426d39e6928556a2b58d9147c3254b8fa6009a4
-
SHA256
373834225a126abde8256049e073b8e07bd06c7563f929783f441a1a63a88d1b
-
SHA512
ff28bbd0f3c7b04ba93f024d356cee092f14c3040b968ebae31bdd9116ed8762aadcec3ac3af3e06238a787ef87b5031d29acf708640c52ac80f55fdfcd89fdd
-
SSDEEP
49152:C5IoVKMQfTCFbMmHI6jduMG+XtbNztOsrStQ0pDWa:C5IoAMQfIr++dpztpStFJ
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
tienMonkey-40774.portmap.io:40774
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Client.exe asyncrat C:\Client.exe asyncrat behavioral1/memory/1672-63-0x0000000000BB0000-0x0000000000BC6000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
nonono.exeClient.exepid process 1588 nonono.exe 1672 Client.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
nonono.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nonono.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nonono.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nonono.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com 11 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nonono.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 nonono.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier nonono.exe -
Processes:
nonono.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 nonono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 nonono.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 nonono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 nonono.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 nonono.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 nonono.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
nonono.exepid process 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe 1588 nonono.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Client.exenonono.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1672 Client.exe Token: SeDebugPrivilege 1588 nonono.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeSecurityPrivilege 584 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
DllHost.exepid process 592 DllHost.exe 592 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
nonono.exepid process 1588 nonono.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Image_Of_Victim.exenonono.execmd.execmd.exedescription pid process target process PID 2020 wrote to memory of 1588 2020 Image_Of_Victim.exe nonono.exe PID 2020 wrote to memory of 1588 2020 Image_Of_Victim.exe nonono.exe PID 2020 wrote to memory of 1588 2020 Image_Of_Victim.exe nonono.exe PID 2020 wrote to memory of 1588 2020 Image_Of_Victim.exe nonono.exe PID 2020 wrote to memory of 1672 2020 Image_Of_Victim.exe Client.exe PID 2020 wrote to memory of 1672 2020 Image_Of_Victim.exe Client.exe PID 2020 wrote to memory of 1672 2020 Image_Of_Victim.exe Client.exe PID 2020 wrote to memory of 1672 2020 Image_Of_Victim.exe Client.exe PID 1588 wrote to memory of 1076 1588 nonono.exe cmd.exe PID 1588 wrote to memory of 1076 1588 nonono.exe cmd.exe PID 1588 wrote to memory of 1076 1588 nonono.exe cmd.exe PID 1588 wrote to memory of 1076 1588 nonono.exe cmd.exe PID 1076 wrote to memory of 1200 1076 cmd.exe chcp.com PID 1076 wrote to memory of 1200 1076 cmd.exe chcp.com PID 1076 wrote to memory of 1200 1076 cmd.exe chcp.com PID 1076 wrote to memory of 1200 1076 cmd.exe chcp.com PID 1076 wrote to memory of 1176 1076 cmd.exe netsh.exe PID 1076 wrote to memory of 1176 1076 cmd.exe netsh.exe PID 1076 wrote to memory of 1176 1076 cmd.exe netsh.exe PID 1076 wrote to memory of 1176 1076 cmd.exe netsh.exe PID 1076 wrote to memory of 804 1076 cmd.exe findstr.exe PID 1076 wrote to memory of 804 1076 cmd.exe findstr.exe PID 1076 wrote to memory of 804 1076 cmd.exe findstr.exe PID 1076 wrote to memory of 804 1076 cmd.exe findstr.exe PID 1588 wrote to memory of 1888 1588 nonono.exe cmd.exe PID 1588 wrote to memory of 1888 1588 nonono.exe cmd.exe PID 1588 wrote to memory of 1888 1588 nonono.exe cmd.exe PID 1588 wrote to memory of 1888 1588 nonono.exe cmd.exe PID 1888 wrote to memory of 2000 1888 cmd.exe chcp.com PID 1888 wrote to memory of 2000 1888 cmd.exe chcp.com PID 1888 wrote to memory of 2000 1888 cmd.exe chcp.com PID 1888 wrote to memory of 2000 1888 cmd.exe chcp.com PID 1888 wrote to memory of 1776 1888 cmd.exe netsh.exe PID 1888 wrote to memory of 1776 1888 cmd.exe netsh.exe PID 1888 wrote to memory of 1776 1888 cmd.exe netsh.exe PID 1888 wrote to memory of 1776 1888 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
nonono.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nonono.exe -
outlook_win_path 1 IoCs
Processes:
nonono.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nonono.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image_Of_Victim.exe"C:\Users\Admin\AppData\Local\Temp\Image_Of_Victim.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\nonono.exe"C:\nonono.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Client.exe"C:\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Client.exeFilesize
63KB
MD5bf1e0b700f4955c1bf6ff3d5cd010658
SHA16919b4a8c0443b02846717e0764e7052b34c00c2
SHA256ce44ab513606e6ba64fee7a9f5d5cd236b57dc856374578dca043d84e00d8541
SHA512c6168ee1ceb98c3eca66b6aa1f5503849dc94e357da016dd5a1a6697337a68fc57bc3d4cc83dbdb74b4ed2b959a0b1099c18e93470db53d339bfbe0858b20844
-
C:\Client.exeFilesize
63KB
MD5bf1e0b700f4955c1bf6ff3d5cd010658
SHA16919b4a8c0443b02846717e0764e7052b34c00c2
SHA256ce44ab513606e6ba64fee7a9f5d5cd236b57dc856374578dca043d84e00d8541
SHA512c6168ee1ceb98c3eca66b6aa1f5503849dc94e357da016dd5a1a6697337a68fc57bc3d4cc83dbdb74b4ed2b959a0b1099c18e93470db53d339bfbe0858b20844
-
C:\Desktop.jpgFilesize
162KB
MD5773ecd18678795d7378e760fee974ca3
SHA11fc418f98c9b4c1757c593bc51fc8c6b45bf6d95
SHA25672a84e420b0db282102471c1a6fff6e87073ed7a4dcc0a83501a91d9eacbf9c9
SHA5121d58295b00d3e25432f3a9306c214fed927f8da78a5f047fefe054fd21b7fba4eee51f0d526eb543b6f08c1cd080c73e4d9ef56379c7c320a3b69187557d35f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD5d15aaa7c9be910a9898260767e2490e1
SHA12090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA5127e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5149fe9218e5107945d045b23e9dd82b6
SHA17a0354fa0a7daf9ee61c965c31ed42de653415fd
SHA256640140938acebe8d3ee572da9146648e377c6be8827d6de9473afe9d573f6f24
SHA5128e82a2bcb37316f823b4c52bb8183052068a43b59916dc8a04f49274df3713649ef81456ad812be485f524ceec88dd22d36df06ffdcf57c4e79a950a022a5b62
-
C:\nonono.exeFilesize
1.5MB
MD5174800448060da1f551c0e234d0337f6
SHA15c395ac0840c2abba7e18afa1080b22a8bfc5d12
SHA2566be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690
SHA5120ff91582a3d89ba03f76ca845aec9dfd540d17d9f34a5935b71a947e89e716f9cb3af2e8302bad68be48a6644b7ac4812945759134fcf17bc3d196b70d83ca2a
-
C:\nonono.exeFilesize
1.5MB
MD5174800448060da1f551c0e234d0337f6
SHA15c395ac0840c2abba7e18afa1080b22a8bfc5d12
SHA2566be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690
SHA5120ff91582a3d89ba03f76ca845aec9dfd540d17d9f34a5935b71a947e89e716f9cb3af2e8302bad68be48a6644b7ac4812945759134fcf17bc3d196b70d83ca2a
-
memory/584-76-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmpFilesize
8KB
-
memory/804-69-0x0000000000000000-mapping.dmp
-
memory/1076-66-0x0000000000000000-mapping.dmp
-
memory/1176-68-0x0000000000000000-mapping.dmp
-
memory/1200-67-0x0000000000000000-mapping.dmp
-
memory/1588-78-0x00000000064A0000-0x0000000006550000-memory.dmpFilesize
704KB
-
memory/1588-70-0x0000000004A45000-0x0000000004A56000-memory.dmpFilesize
68KB
-
memory/1588-77-0x0000000006280000-0x00000000062FA000-memory.dmpFilesize
488KB
-
memory/1588-59-0x0000000000B20000-0x0000000000CA4000-memory.dmpFilesize
1.5MB
-
memory/1588-55-0x0000000000000000-mapping.dmp
-
memory/1588-81-0x0000000005E30000-0x0000000005EB2000-memory.dmpFilesize
520KB
-
memory/1588-82-0x0000000004A45000-0x0000000004A56000-memory.dmpFilesize
68KB
-
memory/1672-60-0x0000000000000000-mapping.dmp
-
memory/1672-63-0x0000000000BB0000-0x0000000000BC6000-memory.dmpFilesize
88KB
-
memory/1776-74-0x0000000000000000-mapping.dmp
-
memory/1888-72-0x0000000000000000-mapping.dmp
-
memory/2000-73-0x0000000000000000-mapping.dmp
-
memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB