Analysis
-
max time kernel
58s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 16:42
Static task
static1
Behavioral task
behavioral1
Sample
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe
Resource
win10v2004-20220812-en
General
-
Target
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe
-
Size
32.4MB
-
MD5
c5681f0e12aac8a5f3461b636bb03e0e
-
SHA1
7dccbceaaa2f18357746e7105c2d9a5caa75e8fa
-
SHA256
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715
-
SHA512
c72bf2510dfc7ff8ebbe769c1851c7bd068c901460820d7bbf5bbe06217f8ba0dd0e1cfab83a009f06fedc28ba7b765cc5393fa3861c39316e8a22b52941b33e
-
SSDEEP
786432:uNNuklYm9MgdaR5qAV72zEWxOUfM30wvvoO2Hum6y/E87eqzDI:u3uklYmMVfqOq46E0+277C6DI
Malware Config
Extracted
asyncrat
0.5.7B
Default
135.148.113.4:6789
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Service Host.exe
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Blko.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\Blko.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\Blko.exe family_stormkitty behavioral1/memory/932-60-0x000000013FB60000-0x000000013FBB0000-memory.dmp family_stormkitty behavioral1/memory/932-62-0x0000000002310000-0x0000000002384000-memory.dmp family_stormkitty -
Async RAT payload 10 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe asyncrat behavioral1/memory/1096-74-0x00000000012F0000-0x0000000001302000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe asyncrat behavioral1/memory/1588-83-0x0000000001310000-0x0000000001322000-memory.dmp asyncrat \Users\Admin\AppData\Roaming\Service Host.exe asyncrat behavioral1/memory/1784-112-0x0000000001070000-0x0000000001082000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
Blko.exeMkwlvmfy.exeLeeliicq.exeJdyfi.exeLmndyfrlq.exeRapyzfeak.exeService Host.exepid process 932 Blko.exe 1324 Mkwlvmfy.exe 1096 Leeliicq.exe 1780 Jdyfi.exe 584 Lmndyfrlq.exe 1588 Rapyzfeak.exe 1784 Service Host.exe -
Loads dropped DLL 11 IoCs
Processes:
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exeLmndyfrlq.exeMsiExec.execmd.exepid process 1980 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe 584 Lmndyfrlq.exe 584 Lmndyfrlq.exe 584 Lmndyfrlq.exe 584 Lmndyfrlq.exe 584 Lmndyfrlq.exe 584 Lmndyfrlq.exe 584 Lmndyfrlq.exe 584 Lmndyfrlq.exe 1980 MsiExec.exe 1188 cmd.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll vmprotect -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MSIEXEC.EXEmsiexec.exedescription ioc process File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1224 timeout.exe 1088 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1580 taskkill.exe -
Processes:
Blko.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Blko.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Blko.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Rapyzfeak.exeBlko.exepid process 1588 Rapyzfeak.exe 932 Blko.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
MSIEXEC.EXERapyzfeak.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 452 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 452 MSIEXEC.EXE Token: SeDebugPrivilege 1588 Rapyzfeak.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeSecurityPrivilege 728 msiexec.exe Token: SeCreateTokenPrivilege 452 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 452 MSIEXEC.EXE Token: SeLockMemoryPrivilege 452 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 452 MSIEXEC.EXE Token: SeMachineAccountPrivilege 452 MSIEXEC.EXE Token: SeTcbPrivilege 452 MSIEXEC.EXE Token: SeSecurityPrivilege 452 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 452 MSIEXEC.EXE Token: SeLoadDriverPrivilege 452 MSIEXEC.EXE Token: SeSystemProfilePrivilege 452 MSIEXEC.EXE Token: SeSystemtimePrivilege 452 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 452 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 452 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 452 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 452 MSIEXEC.EXE Token: SeBackupPrivilege 452 MSIEXEC.EXE Token: SeRestorePrivilege 452 MSIEXEC.EXE Token: SeShutdownPrivilege 452 MSIEXEC.EXE Token: SeDebugPrivilege 452 MSIEXEC.EXE Token: SeAuditPrivilege 452 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 452 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 452 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 452 MSIEXEC.EXE Token: SeUndockPrivilege 452 MSIEXEC.EXE Token: SeSyncAgentPrivilege 452 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 452 MSIEXEC.EXE Token: SeManageVolumePrivilege 452 MSIEXEC.EXE Token: SeImpersonatePrivilege 452 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 452 MSIEXEC.EXE Token: SeCreateTokenPrivilege 452 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 452 MSIEXEC.EXE Token: SeLockMemoryPrivilege 452 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 452 MSIEXEC.EXE Token: SeMachineAccountPrivilege 452 MSIEXEC.EXE Token: SeTcbPrivilege 452 MSIEXEC.EXE Token: SeSecurityPrivilege 452 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 452 MSIEXEC.EXE Token: SeLoadDriverPrivilege 452 MSIEXEC.EXE Token: SeSystemProfilePrivilege 452 MSIEXEC.EXE Token: SeSystemtimePrivilege 452 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 452 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 452 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 452 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 452 MSIEXEC.EXE Token: SeBackupPrivilege 452 MSIEXEC.EXE Token: SeRestorePrivilege 452 MSIEXEC.EXE Token: SeShutdownPrivilege 452 MSIEXEC.EXE Token: SeDebugPrivilege 452 MSIEXEC.EXE Token: SeAuditPrivilege 452 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 452 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 452 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 452 MSIEXEC.EXE Token: SeUndockPrivilege 452 MSIEXEC.EXE Token: SeSyncAgentPrivilege 452 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 452 MSIEXEC.EXE Token: SeManageVolumePrivilege 452 MSIEXEC.EXE Token: SeImpersonatePrivilege 452 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 452 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
MSIEXEC.EXEpid process 452 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exeMkwlvmfy.exeJdyfi.exeLmndyfrlq.exeRapyzfeak.execmd.execmd.exemsiexec.exeBlko.execmd.exedescription pid process target process PID 1980 wrote to memory of 932 1980 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Blko.exe PID 1980 wrote to memory of 932 1980 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Blko.exe PID 1980 wrote to memory of 932 1980 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Blko.exe PID 1980 wrote to memory of 1324 1980 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Mkwlvmfy.exe PID 1980 wrote to memory of 1324 1980 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Mkwlvmfy.exe PID 1980 wrote to memory of 1324 1980 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Mkwlvmfy.exe PID 1324 wrote to memory of 1096 1324 Mkwlvmfy.exe Leeliicq.exe PID 1324 wrote to memory of 1096 1324 Mkwlvmfy.exe Leeliicq.exe PID 1324 wrote to memory of 1096 1324 Mkwlvmfy.exe Leeliicq.exe PID 1324 wrote to memory of 1096 1324 Mkwlvmfy.exe Leeliicq.exe PID 1324 wrote to memory of 1780 1324 Mkwlvmfy.exe Jdyfi.exe PID 1324 wrote to memory of 1780 1324 Mkwlvmfy.exe Jdyfi.exe PID 1324 wrote to memory of 1780 1324 Mkwlvmfy.exe Jdyfi.exe PID 1780 wrote to memory of 584 1780 Jdyfi.exe Lmndyfrlq.exe PID 1780 wrote to memory of 584 1780 Jdyfi.exe Lmndyfrlq.exe PID 1780 wrote to memory of 584 1780 Jdyfi.exe Lmndyfrlq.exe PID 1780 wrote to memory of 584 1780 Jdyfi.exe Lmndyfrlq.exe PID 1780 wrote to memory of 584 1780 Jdyfi.exe Lmndyfrlq.exe PID 1780 wrote to memory of 584 1780 Jdyfi.exe Lmndyfrlq.exe PID 1780 wrote to memory of 584 1780 Jdyfi.exe Lmndyfrlq.exe PID 1780 wrote to memory of 1588 1780 Jdyfi.exe Rapyzfeak.exe PID 1780 wrote to memory of 1588 1780 Jdyfi.exe Rapyzfeak.exe PID 1780 wrote to memory of 1588 1780 Jdyfi.exe Rapyzfeak.exe PID 1780 wrote to memory of 1588 1780 Jdyfi.exe Rapyzfeak.exe PID 584 wrote to memory of 452 584 Lmndyfrlq.exe MSIEXEC.EXE PID 584 wrote to memory of 452 584 Lmndyfrlq.exe MSIEXEC.EXE PID 584 wrote to memory of 452 584 Lmndyfrlq.exe MSIEXEC.EXE PID 584 wrote to memory of 452 584 Lmndyfrlq.exe MSIEXEC.EXE PID 584 wrote to memory of 452 584 Lmndyfrlq.exe MSIEXEC.EXE PID 584 wrote to memory of 452 584 Lmndyfrlq.exe MSIEXEC.EXE PID 584 wrote to memory of 452 584 Lmndyfrlq.exe MSIEXEC.EXE PID 1588 wrote to memory of 1608 1588 Rapyzfeak.exe cmd.exe PID 1588 wrote to memory of 1608 1588 Rapyzfeak.exe cmd.exe PID 1588 wrote to memory of 1608 1588 Rapyzfeak.exe cmd.exe PID 1588 wrote to memory of 1608 1588 Rapyzfeak.exe cmd.exe PID 1588 wrote to memory of 1188 1588 Rapyzfeak.exe cmd.exe PID 1588 wrote to memory of 1188 1588 Rapyzfeak.exe cmd.exe PID 1588 wrote to memory of 1188 1588 Rapyzfeak.exe cmd.exe PID 1588 wrote to memory of 1188 1588 Rapyzfeak.exe cmd.exe PID 1608 wrote to memory of 1288 1608 cmd.exe schtasks.exe PID 1608 wrote to memory of 1288 1608 cmd.exe schtasks.exe PID 1608 wrote to memory of 1288 1608 cmd.exe schtasks.exe PID 1608 wrote to memory of 1288 1608 cmd.exe schtasks.exe PID 1188 wrote to memory of 1224 1188 cmd.exe timeout.exe PID 1188 wrote to memory of 1224 1188 cmd.exe timeout.exe PID 1188 wrote to memory of 1224 1188 cmd.exe timeout.exe PID 1188 wrote to memory of 1224 1188 cmd.exe timeout.exe PID 728 wrote to memory of 1980 728 msiexec.exe MsiExec.exe PID 728 wrote to memory of 1980 728 msiexec.exe MsiExec.exe PID 728 wrote to memory of 1980 728 msiexec.exe MsiExec.exe PID 728 wrote to memory of 1980 728 msiexec.exe MsiExec.exe PID 728 wrote to memory of 1980 728 msiexec.exe MsiExec.exe PID 728 wrote to memory of 1980 728 msiexec.exe MsiExec.exe PID 728 wrote to memory of 1980 728 msiexec.exe MsiExec.exe PID 1188 wrote to memory of 1784 1188 cmd.exe Service Host.exe PID 1188 wrote to memory of 1784 1188 cmd.exe Service Host.exe PID 1188 wrote to memory of 1784 1188 cmd.exe Service Host.exe PID 1188 wrote to memory of 1784 1188 cmd.exe Service Host.exe PID 932 wrote to memory of 1352 932 Blko.exe cmd.exe PID 932 wrote to memory of 1352 932 Blko.exe cmd.exe PID 932 wrote to memory of 1352 932 Blko.exe cmd.exe PID 1352 wrote to memory of 896 1352 cmd.exe chcp.com PID 1352 wrote to memory of 896 1352 cmd.exe chcp.com PID 1352 wrote to memory of 896 1352 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe"C:\Users\Admin\AppData\Local\Temp\B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Blko.exe"C:\Users\Admin\AppData\Local\Temp\Blko.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 9324⤵
- Kills process with taskkill
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exe"C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe"C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exe"C:\Users\Admin\AppData\Local\Temp\Jdyfi.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe"C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"'6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBE12.tmp.bat""5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Service Host.exe"C:\Users\Admin\AppData\Roaming\Service Host.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exe"C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{A88148C7-A58E-426C-B020-97FB8D1E30EF}\SetupTikTokPlus.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Lmndyfrlq.exe"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24D0175EC0A4A72E8974E971DC5C0503 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{A88148C7-A58E-426C-B020-97FB8D1E30EF}\SetupTikTokPlus.msiFilesize
33.2MB
MD57f784ac43b811a6f648ff3c984410ca0
SHA16f1b79470facb8a4e5b47b809a663126edb802ec
SHA2567cf8f058778f9d6066a6bd579ca6e2e5e55c3f488748d2108e3b0b9a7f2de512
SHA51262aa64ce24285983dc861b31fc0f53b58f3da7b2b39f9f3e259fdd0199920a6f32e9c443f0d9a1403947d84085d435b2cfd2e02e5bbdc804ab71d0d29e485e86
-
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dllFilesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
C:\Users\Admin\AppData\Local\Temp\Blko.exeFilesize
304KB
MD5c5a1a80b17e6cdad96f21f92160e7a6d
SHA1f33bd203d5412df427b41360e217de3b72112e75
SHA256d4753222b1b400a0f8812a9ca1e1a00f646ef4b46f569e8f19eac7fec05eeac5
SHA512d8689f75683ea406da58d234f3f7ec902b0a0b29a3c43a1de0169f6db13bef4a63550d05bbebefc79dd39e2899a299a5cf920e354a2ce7cf868c235bbce0f708
-
C:\Users\Admin\AppData\Local\Temp\Blko.exeFilesize
304KB
MD5c5a1a80b17e6cdad96f21f92160e7a6d
SHA1f33bd203d5412df427b41360e217de3b72112e75
SHA256d4753222b1b400a0f8812a9ca1e1a00f646ef4b46f569e8f19eac7fec05eeac5
SHA512d8689f75683ea406da58d234f3f7ec902b0a0b29a3c43a1de0169f6db13bef4a63550d05bbebefc79dd39e2899a299a5cf920e354a2ce7cf868c235bbce0f708
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exeFilesize
32.0MB
MD5c61d02d9bc8430640de22e5873f2a95e
SHA11049789deeaa3a55a2e884d6d36a2d3199455e4c
SHA256103dfcddeaf65095d7f775314070b5dbc4cb9ecc147ff544eba00b1c15cf12d3
SHA512fd8e84f5465c37a75790004134487d9c3633bc59e985e139722a8f2e77b9b659f3f2ec85f8af59d29e570a8a49ae5dc984312102e2cdc5850a6859f290fb29b5
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exeFilesize
32.0MB
MD5c61d02d9bc8430640de22e5873f2a95e
SHA11049789deeaa3a55a2e884d6d36a2d3199455e4c
SHA256103dfcddeaf65095d7f775314070b5dbc4cb9ecc147ff544eba00b1c15cf12d3
SHA512fd8e84f5465c37a75790004134487d9c3633bc59e985e139722a8f2e77b9b659f3f2ec85f8af59d29e570a8a49ae5dc984312102e2cdc5850a6859f290fb29b5
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exeFilesize
32.8MB
MD558d4e2a29f5f12ed8a361443ef92444e
SHA1748bc7f49e5ecb818ec39897fc817ffe703c5ded
SHA256b530fa22f8e41fceecba250f3e070656a1bf470f221ebe368445948c37d5b81b
SHA51251179701ab0cd4af9cca357298db1d3fd5cc7c1225d1b050afdf25f18d240f0b3ebf867d9e0dab717aafd6e559f75742c08a5aa9a62a7ae3b3027d86f7d3ebde
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exeFilesize
32.8MB
MD558d4e2a29f5f12ed8a361443ef92444e
SHA1748bc7f49e5ecb818ec39897fc817ffe703c5ded
SHA256b530fa22f8e41fceecba250f3e070656a1bf470f221ebe368445948c37d5b81b
SHA51251179701ab0cd4af9cca357298db1d3fd5cc7c1225d1b050afdf25f18d240f0b3ebf867d9e0dab717aafd6e559f75742c08a5aa9a62a7ae3b3027d86f7d3ebde
-
C:\Users\Admin\AppData\Local\Temp\MSIBFD7.tmpFilesize
153KB
MD5c90f51e8f8c547ce8a48c22ecdcf5304
SHA1b7a5831e3678693ebb254b5720a58020c0772551
SHA256226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473
SHA512ae667b38251f4ec2062a42f8238ac8391a2aed0a2833a5320d3b296347a689e59a4f442add547b6a202aea4ddcab16e3db823452e18714c69585efed0c4e9903
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exeFilesize
32.1MB
MD529862545c340a4a0cb79600d275b75dd
SHA16be93f123bddef0727d3ed64ff82d1b91e45d68d
SHA256028be801a20513d0ca91ab1249d1695d89c4c03490d32ebd2751a8a977cf120f
SHA5122d64fb68293ad4d243410a92fee5b1723868f3454bcf4b01921ead3b76c9f4706ec79dc44ab440a5eff82de95d914deb30b04e7200c45d00d7b36aafaf29781d
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exeFilesize
32.1MB
MD529862545c340a4a0cb79600d275b75dd
SHA16be93f123bddef0727d3ed64ff82d1b91e45d68d
SHA256028be801a20513d0ca91ab1249d1695d89c4c03490d32ebd2751a8a977cf120f
SHA5122d64fb68293ad4d243410a92fee5b1723868f3454bcf4b01921ead3b76c9f4706ec79dc44ab440a5eff82de95d914deb30b04e7200c45d00d7b36aafaf29781d
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.batFilesize
232B
MD5fa5b7a9007c803ce3d5f40d34b1817d3
SHA1b1bac465ff59c9648501fc1d16e9ea5294d12ee1
SHA256352050648389baeed937766a8cab40d1825bca5b0712b5e511b99ab8694be218
SHA5126bdc519a35c79b7bd1fdea744807ccbc7c1b0d5aea2c64f98003c27383d4a005ea58853e845218a0466d6d7415f7db01585a25464f9c8f4972d1cf244ee16de9
-
C:\Users\Admin\AppData\Local\Temp\tmpBE12.tmp.batFilesize
156B
MD5e5521cac98ffe9716218c84b1ec9b6ff
SHA1caa1190ce175fc658b82cb2df461fe8d15b90606
SHA256e079543583db287e5bbcb24eb72701a48dd46d20031c0b714605458a2f339f74
SHA512630ab27756664079bdc79d9cee651cb328207bf52ae56afe61397750391a692e926cf574e69449d703319190969f04b7374a9b347fe8493c2ee258e76fa965c5
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
\Users\Admin\AppData\Local\Temp\Blko.exeFilesize
304KB
MD5c5a1a80b17e6cdad96f21f92160e7a6d
SHA1f33bd203d5412df427b41360e217de3b72112e75
SHA256d4753222b1b400a0f8812a9ca1e1a00f646ef4b46f569e8f19eac7fec05eeac5
SHA512d8689f75683ea406da58d234f3f7ec902b0a0b29a3c43a1de0169f6db13bef4a63550d05bbebefc79dd39e2899a299a5cf920e354a2ce7cf868c235bbce0f708
-
\Users\Admin\AppData\Local\Temp\MSIBFD7.tmpFilesize
153KB
MD5c90f51e8f8c547ce8a48c22ecdcf5304
SHA1b7a5831e3678693ebb254b5720a58020c0772551
SHA256226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473
SHA512ae667b38251f4ec2062a42f8238ac8391a2aed0a2833a5320d3b296347a689e59a4f442add547b6a202aea4ddcab16e3db823452e18714c69585efed0c4e9903
-
\Users\Admin\AppData\Local\Temp\_is989A..dllFilesize
2.2MB
MD50ce4d3bd306da6d1f6f233c403f5b667
SHA115dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA2566428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA5124275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9
-
\Users\Admin\AppData\Local\Temp\_is989A..dllFilesize
2.2MB
MD50ce4d3bd306da6d1f6f233c403f5b667
SHA115dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA2566428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA5124275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9
-
\Users\Admin\AppData\Local\Temp\_is9966..dllFilesize
2.2MB
MD50ce4d3bd306da6d1f6f233c403f5b667
SHA115dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA2566428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA5124275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9
-
\Users\Admin\AppData\Local\Temp\_is9966..dllFilesize
2.2MB
MD50ce4d3bd306da6d1f6f233c403f5b667
SHA115dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA2566428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA5124275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9
-
\Users\Admin\AppData\Local\Temp\_is9A03..dllFilesize
2.2MB
MD50ce4d3bd306da6d1f6f233c403f5b667
SHA115dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA2566428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA5124275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9
-
\Users\Admin\AppData\Local\Temp\_is9A03..dllFilesize
2.2MB
MD50ce4d3bd306da6d1f6f233c403f5b667
SHA115dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA2566428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA5124275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9
-
\Users\Admin\AppData\Local\Temp\_is9A71..dllFilesize
2.2MB
MD50ce4d3bd306da6d1f6f233c403f5b667
SHA115dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA2566428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA5124275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9
-
\Users\Admin\AppData\Local\Temp\_is9A71..dllFilesize
2.2MB
MD50ce4d3bd306da6d1f6f233c403f5b667
SHA115dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA2566428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA5124275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9
-
\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
memory/452-95-0x0000000000000000-mapping.dmp
-
memory/584-77-0x0000000000000000-mapping.dmp
-
memory/584-79-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/896-116-0x0000000000000000-mapping.dmp
-
memory/932-57-0x0000000000000000-mapping.dmp
-
memory/932-60-0x000000013FB60000-0x000000013FBB0000-memory.dmpFilesize
320KB
-
memory/932-66-0x0000000000850000-0x0000000000856000-memory.dmpFilesize
24KB
-
memory/932-62-0x0000000002310000-0x0000000002384000-memory.dmpFilesize
464KB
-
memory/1088-118-0x0000000000000000-mapping.dmp
-
memory/1096-74-0x00000000012F0000-0x0000000001302000-memory.dmpFilesize
72KB
-
memory/1096-68-0x0000000000000000-mapping.dmp
-
memory/1188-100-0x0000000000000000-mapping.dmp
-
memory/1224-103-0x0000000000000000-mapping.dmp
-
memory/1288-102-0x0000000000000000-mapping.dmp
-
memory/1324-61-0x0000000000000000-mapping.dmp
-
memory/1324-65-0x00000000008D0000-0x00000000028E8000-memory.dmpFilesize
32.1MB
-
memory/1352-114-0x0000000000000000-mapping.dmp
-
memory/1580-117-0x0000000000000000-mapping.dmp
-
memory/1588-80-0x0000000000000000-mapping.dmp
-
memory/1588-83-0x0000000001310000-0x0000000001322000-memory.dmpFilesize
72KB
-
memory/1608-99-0x0000000000000000-mapping.dmp
-
memory/1780-71-0x0000000000000000-mapping.dmp
-
memory/1780-75-0x0000000000C30000-0x0000000002C3E000-memory.dmpFilesize
32.1MB
-
memory/1784-110-0x0000000000000000-mapping.dmp
-
memory/1784-112-0x0000000001070000-0x0000000001082000-memory.dmpFilesize
72KB
-
memory/1980-54-0x0000000000FD0000-0x0000000003036000-memory.dmpFilesize
32.4MB
-
memory/1980-104-0x0000000000000000-mapping.dmp
-
memory/1980-55-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmpFilesize
8KB