neshta | dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2

General

Target

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Size

916KB
MD5

0e6eccc2cb4555748e5b1dec1ea8e0b0
SHA1

3eba614e98ff631ecb30bcc1cc3cfe4824747dff
SHA256

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2
SHA512

75926bd3d19ef06f38581ad03a95eb99dfed1b0505484680abc633e36200e02bc8fb72bbe1caf4241446edd398650f0ad3a3ecc12b78e2758c29adc843703452
SSDEEP

12288:aW6VgX0SyGUsp8Qd/zDdz+A+hi6+pE30vwmC46oSVISpn7awwgoSPpi6:a/lGl6Qp3R+hos4w74YGwJpi6

Score

10^/10

neshta evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BunndleOfferManager.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL	acprotect
C:\Users\Admin\AppData\Local\Temp\Bunndle\BunndleOfferManager.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

pid process

1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

pid	process
1668	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	upx
behavioral2/memory/1668-135-0x0000000000400000-0x0000000000953000-memory.dmp	upx
behavioral2/memory/1668-136-0x0000000000400000-0x0000000000953000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\BunndleOfferManager.dll	upx
C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL	upx
C:\Users\Admin\AppData\Local\Temp\Bunndle\BunndleOfferManager.dll	upx
behavioral2/memory/1668-143-0x00000000740B0000-0x0000000074114000-memory.dmp	upx
behavioral2/memory/4972-144-0x0000000073A60000-0x0000000073AC4000-memory.dmp	upx
behavioral2/memory/1668-145-0x00000000740B0000-0x0000000074114000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Loads dropped DLL 2 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exerundll32.exe

pid process

1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
4972 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1668	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
4972	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Drops file in Windows directory 1 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description ioc process

File opened for modification C:\Windows\svchost.com dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Modifies registry class 64 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CurVer\ = "Bunndle.BunndleOfferManager.1"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\1\ = "131473"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1\CLSID	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CLSID\ = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\Control	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32\ThreadingModel = "Apartment"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib\Version = "1.0"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\ = "0"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1\CLSID\ = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib\Version = "1.0"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\Programmable	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\TypeLib	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid32	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ = "BunndleOfferManager Class"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ = "IBunndleOfferManager"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\Version = "1.0"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\Version = "1.0"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib\Version = "1.0"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CurVer	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\AppId = "{2C9E6EB4-45BD-4855-A0C2-4614D4C49DBA}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\VersionIndependentProgID\ = "Bunndle.BunndleOfferManager"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\0	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ = "IBunndleOfferManager2"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\FalconBetaAccount\remote_access_client_id = "5972182477"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1\ = "BunndleOfferManager Class"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\ = "BunndleOfferManager Class"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\1	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ = "IBunndleOfferManager"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ = "IInstallScriptHelper"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CLSID	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\HELPDIR	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\FalconBetaAccount	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ProgID\ = "Bunndle.BunndleOfferManager.1"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\VersionIndependentProgID	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BunndleOfferManager.dll"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\ = "BunndleOfferManager 1.0 Type Library"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ProgID	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\FLAGS	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description pid process

Token: SeManageVolumePrivilege 1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	pid	process
Token: SeManageVolumePrivilege	1668	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exerundll32.exe

description	pid	process	target process
PID 4032 wrote to memory of 1668	4032	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
PID 4032 wrote to memory of 1668	4032	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
PID 4032 wrote to memory of 1668	4032	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
PID 1668 wrote to memory of 4972	1668	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	rundll32.exe
PID 1668 wrote to memory of 4972	1668	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	rundll32.exe
PID 1668 wrote to memory of 4972	1668	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	rundll32.exe
PID 4972 wrote to memory of 3540	4972	rundll32.exe	cmd.exe
PID 4972 wrote to memory of 3540	4972	rundll32.exe	cmd.exe
PID 4972 wrote to memory of 3540	4972	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
"C:\Users\Admin\AppData\Local\Temp\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe"
2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL,RunOfferManagerAgentW
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /p x= & del /f /s "C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL"
4⤵
PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Filesize
875KB

MD5
2c1ef6485eeb834187fc69556a64eafe

SHA1
c959e7d82203d234eb4912c61f05a450417c8c36

SHA256
7f25b9bbec978f3f3810d1e064d2ca9330061bd9d0f7df9c3370f020e9d38e56

SHA512
7f8041ec2d84ed23dd31a4733680e3228bdd12564109f107a57aa341dbd2813d016f154ae0f6dd0957aa67bb4d2ba96bbd6ce555cb366ebd163e9ca9c78e27f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Filesize
875KB

MD5
2c1ef6485eeb834187fc69556a64eafe

SHA1
c959e7d82203d234eb4912c61f05a450417c8c36

SHA256
7f25b9bbec978f3f3810d1e064d2ca9330061bd9d0f7df9c3370f020e9d38e56

SHA512
7f8041ec2d84ed23dd31a4733680e3228bdd12564109f107a57aa341dbd2813d016f154ae0f6dd0957aa67bb4d2ba96bbd6ce555cb366ebd163e9ca9c78e27f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BunndleOfferManager.dll
Filesize
130KB

MD5
f8f7820b4336e61b40ca67418dacc7ba

SHA1
82b6ddc00ddcee0526a357a328a4cad8165d89a1

SHA256
d4dd8b04ed2cb17d9440b24157163c52d8cb2969c71df6e13c30856e29a50fb6

SHA512
260537c02f075b1971d2464fab08e09b194d26ad588e7e5c7809c917393b4328130079941e122ee2e1fa8ae8fbfc202e68462ff779d965555d4fe9d204ceb856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL
Filesize
130KB

MD5
f8f7820b4336e61b40ca67418dacc7ba

SHA1
82b6ddc00ddcee0526a357a328a4cad8165d89a1

SHA256
d4dd8b04ed2cb17d9440b24157163c52d8cb2969c71df6e13c30856e29a50fb6

SHA512
260537c02f075b1971d2464fab08e09b194d26ad588e7e5c7809c917393b4328130079941e122ee2e1fa8ae8fbfc202e68462ff779d965555d4fe9d204ceb856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bunndle\Bunndle.log
Filesize
1KB

MD5
93d9a6c6fdd3ac03af9e7af93698af32

SHA1
e2991a2839a21d7012b1daa0f383052ad85b9d15

SHA256
a265b84eba7e12c397a847758a058e715d24a1bff249147342ad97bad8345e95

SHA512
2d413535c9fa20dcdf63d5fdc51beb3b1fccab3d451b402d29e71499add9cf90f82d0484a84bd730cc996ee6e24276051cdd693a0a7d9a27a2470a9d1404103c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bunndle\BunndleOfferManager.dll
Filesize
130KB

MD5
f8f7820b4336e61b40ca67418dacc7ba

SHA1
82b6ddc00ddcee0526a357a328a4cad8165d89a1

SHA256
d4dd8b04ed2cb17d9440b24157163c52d8cb2969c71df6e13c30856e29a50fb6

SHA512
260537c02f075b1971d2464fab08e09b194d26ad588e7e5c7809c917393b4328130079941e122ee2e1fa8ae8fbfc202e68462ff779d965555d4fe9d204ceb856

Download Submit
memory/1668-135-0x0000000000400000-0x0000000000953000-memory.dmp

Filesize
5.3MB

Download
memory/1668-136-0x0000000000400000-0x0000000000953000-memory.dmp

Filesize
5.3MB

Download
memory/1668-132-0x0000000000000000-mapping.dmp

Download
memory/1668-143-0x00000000740B0000-0x0000000074114000-memory.dmp

Filesize
400KB

Download
memory/1668-145-0x00000000740B0000-0x0000000074114000-memory.dmp

Filesize
400KB

Download
memory/3540-142-0x0000000000000000-mapping.dmp

Download
memory/4972-138-0x0000000000000000-mapping.dmp

Download
memory/4972-144-0x0000000073A60000-0x0000000073AC4000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads