Analysis
-
max time kernel
93s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 16:42
Static task
static1
Behavioral task
behavioral1
Sample
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe
Resource
win10v2004-20220812-en
General
-
Target
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe
-
Size
32.4MB
-
MD5
c5681f0e12aac8a5f3461b636bb03e0e
-
SHA1
7dccbceaaa2f18357746e7105c2d9a5caa75e8fa
-
SHA256
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715
-
SHA512
c72bf2510dfc7ff8ebbe769c1851c7bd068c901460820d7bbf5bbe06217f8ba0dd0e1cfab83a009f06fedc28ba7b765cc5393fa3861c39316e8a22b52941b33e
-
SSDEEP
786432:uNNuklYm9MgdaR5qAV72zEWxOUfM30wvvoO2Hum6y/E87eqzDI:u3uklYmMVfqOq46E0+277C6DI
Malware Config
Extracted
asyncrat
0.5.7B
Default
135.148.113.4:6789
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Service Host.exe
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Blko.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\Blko.exe family_stormkitty behavioral2/memory/4948-137-0x0000000000D00000-0x0000000000D50000-memory.dmp family_stormkitty -
Async RAT payload 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe asyncrat behavioral2/memory/1924-148-0x0000000000800000-0x0000000000812000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exeMkwlvmfy.exeJdyfi.exeLeeliicq.exeRapyzfeak.exeBlko.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Mkwlvmfy.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Jdyfi.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Leeliicq.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Rapyzfeak.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Blko.exe -
Executes dropped EXE 8 IoCs
Processes:
Blko.exeMkwlvmfy.exeLeeliicq.exeJdyfi.exeLmndyfrlq.exeRapyzfeak.exeService Host.exeService Host.exepid process 4948 Blko.exe 4876 Mkwlvmfy.exe 1924 Leeliicq.exe 3420 Jdyfi.exe 1396 Lmndyfrlq.exe 1128 Rapyzfeak.exe 4552 Service Host.exe 1960 Service Host.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 4376 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4948-195-0x000000001CA20000-0x000000001CAA4000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll vmprotect -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Blko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MSIEXEC.EXEmsiexec.exedescription ioc process File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 ip-api.com 68 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Blko.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Blko.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Blko.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1848 schtasks.exe 3680 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 4240 timeout.exe 4896 timeout.exe 5080 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1276 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Leeliicq.exeBlko.exeRapyzfeak.exepid process 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 1924 Leeliicq.exe 4948 Blko.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 1128 Rapyzfeak.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe 4948 Blko.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Leeliicq.exeBlko.exeMSIEXEC.EXEmsiexec.exeRapyzfeak.exedescription pid process Token: SeDebugPrivilege 1924 Leeliicq.exe Token: SeDebugPrivilege 4948 Blko.exe Token: SeShutdownPrivilege 4644 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4644 MSIEXEC.EXE Token: SeSecurityPrivilege 4456 msiexec.exe Token: SeCreateTokenPrivilege 4644 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 4644 MSIEXEC.EXE Token: SeLockMemoryPrivilege 4644 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4644 MSIEXEC.EXE Token: SeMachineAccountPrivilege 4644 MSIEXEC.EXE Token: SeTcbPrivilege 4644 MSIEXEC.EXE Token: SeSecurityPrivilege 4644 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 4644 MSIEXEC.EXE Token: SeLoadDriverPrivilege 4644 MSIEXEC.EXE Token: SeSystemProfilePrivilege 4644 MSIEXEC.EXE Token: SeSystemtimePrivilege 4644 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 4644 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 4644 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 4644 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 4644 MSIEXEC.EXE Token: SeBackupPrivilege 4644 MSIEXEC.EXE Token: SeRestorePrivilege 4644 MSIEXEC.EXE Token: SeShutdownPrivilege 4644 MSIEXEC.EXE Token: SeDebugPrivilege 4644 MSIEXEC.EXE Token: SeAuditPrivilege 4644 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 4644 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 4644 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 4644 MSIEXEC.EXE Token: SeUndockPrivilege 4644 MSIEXEC.EXE Token: SeSyncAgentPrivilege 4644 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 4644 MSIEXEC.EXE Token: SeManageVolumePrivilege 4644 MSIEXEC.EXE Token: SeImpersonatePrivilege 4644 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 4644 MSIEXEC.EXE Token: SeDebugPrivilege 1128 Rapyzfeak.exe Token: SeCreateTokenPrivilege 4644 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 4644 MSIEXEC.EXE Token: SeLockMemoryPrivilege 4644 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4644 MSIEXEC.EXE Token: SeMachineAccountPrivilege 4644 MSIEXEC.EXE Token: SeTcbPrivilege 4644 MSIEXEC.EXE Token: SeSecurityPrivilege 4644 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 4644 MSIEXEC.EXE Token: SeLoadDriverPrivilege 4644 MSIEXEC.EXE Token: SeSystemProfilePrivilege 4644 MSIEXEC.EXE Token: SeSystemtimePrivilege 4644 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 4644 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 4644 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 4644 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 4644 MSIEXEC.EXE Token: SeBackupPrivilege 4644 MSIEXEC.EXE Token: SeRestorePrivilege 4644 MSIEXEC.EXE Token: SeShutdownPrivilege 4644 MSIEXEC.EXE Token: SeDebugPrivilege 4644 MSIEXEC.EXE Token: SeAuditPrivilege 4644 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 4644 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 4644 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 4644 MSIEXEC.EXE Token: SeUndockPrivilege 4644 MSIEXEC.EXE Token: SeSyncAgentPrivilege 4644 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 4644 MSIEXEC.EXE Token: SeManageVolumePrivilege 4644 MSIEXEC.EXE Token: SeImpersonatePrivilege 4644 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 4644 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
MSIEXEC.EXEpid process 4644 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exeMkwlvmfy.exeJdyfi.exeLeeliicq.execmd.execmd.exeLmndyfrlq.exemsiexec.exeRapyzfeak.execmd.execmd.exeBlko.execmd.execmd.exedescription pid process target process PID 4152 wrote to memory of 4948 4152 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Blko.exe PID 4152 wrote to memory of 4948 4152 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Blko.exe PID 4152 wrote to memory of 4876 4152 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Mkwlvmfy.exe PID 4152 wrote to memory of 4876 4152 B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe Mkwlvmfy.exe PID 4876 wrote to memory of 1924 4876 Mkwlvmfy.exe Leeliicq.exe PID 4876 wrote to memory of 1924 4876 Mkwlvmfy.exe Leeliicq.exe PID 4876 wrote to memory of 1924 4876 Mkwlvmfy.exe Leeliicq.exe PID 4876 wrote to memory of 3420 4876 Mkwlvmfy.exe Jdyfi.exe PID 4876 wrote to memory of 3420 4876 Mkwlvmfy.exe Jdyfi.exe PID 3420 wrote to memory of 1396 3420 Jdyfi.exe Lmndyfrlq.exe PID 3420 wrote to memory of 1396 3420 Jdyfi.exe Lmndyfrlq.exe PID 3420 wrote to memory of 1396 3420 Jdyfi.exe Lmndyfrlq.exe PID 3420 wrote to memory of 1128 3420 Jdyfi.exe Rapyzfeak.exe PID 3420 wrote to memory of 1128 3420 Jdyfi.exe Rapyzfeak.exe PID 3420 wrote to memory of 1128 3420 Jdyfi.exe Rapyzfeak.exe PID 1924 wrote to memory of 1400 1924 Leeliicq.exe cmd.exe PID 1924 wrote to memory of 1400 1924 Leeliicq.exe cmd.exe PID 1924 wrote to memory of 1400 1924 Leeliicq.exe cmd.exe PID 1924 wrote to memory of 4432 1924 Leeliicq.exe cmd.exe PID 1924 wrote to memory of 4432 1924 Leeliicq.exe cmd.exe PID 1924 wrote to memory of 4432 1924 Leeliicq.exe cmd.exe PID 1400 wrote to memory of 1848 1400 cmd.exe schtasks.exe PID 1400 wrote to memory of 1848 1400 cmd.exe schtasks.exe PID 1400 wrote to memory of 1848 1400 cmd.exe schtasks.exe PID 4432 wrote to memory of 5080 4432 cmd.exe timeout.exe PID 4432 wrote to memory of 5080 4432 cmd.exe timeout.exe PID 4432 wrote to memory of 5080 4432 cmd.exe timeout.exe PID 4432 wrote to memory of 4552 4432 cmd.exe Service Host.exe PID 4432 wrote to memory of 4552 4432 cmd.exe Service Host.exe PID 4432 wrote to memory of 4552 4432 cmd.exe Service Host.exe PID 1396 wrote to memory of 4644 1396 Lmndyfrlq.exe MSIEXEC.EXE PID 1396 wrote to memory of 4644 1396 Lmndyfrlq.exe MSIEXEC.EXE PID 1396 wrote to memory of 4644 1396 Lmndyfrlq.exe MSIEXEC.EXE PID 4456 wrote to memory of 4376 4456 msiexec.exe MsiExec.exe PID 4456 wrote to memory of 4376 4456 msiexec.exe MsiExec.exe PID 4456 wrote to memory of 4376 4456 msiexec.exe MsiExec.exe PID 1128 wrote to memory of 4484 1128 Rapyzfeak.exe cmd.exe PID 1128 wrote to memory of 4484 1128 Rapyzfeak.exe cmd.exe PID 1128 wrote to memory of 4484 1128 Rapyzfeak.exe cmd.exe PID 4484 wrote to memory of 3680 4484 cmd.exe schtasks.exe PID 4484 wrote to memory of 3680 4484 cmd.exe schtasks.exe PID 4484 wrote to memory of 3680 4484 cmd.exe schtasks.exe PID 1128 wrote to memory of 3312 1128 Rapyzfeak.exe cmd.exe PID 1128 wrote to memory of 3312 1128 Rapyzfeak.exe cmd.exe PID 1128 wrote to memory of 3312 1128 Rapyzfeak.exe cmd.exe PID 3312 wrote to memory of 4240 3312 cmd.exe timeout.exe PID 3312 wrote to memory of 4240 3312 cmd.exe timeout.exe PID 3312 wrote to memory of 4240 3312 cmd.exe timeout.exe PID 3312 wrote to memory of 1960 3312 cmd.exe Service Host.exe PID 3312 wrote to memory of 1960 3312 cmd.exe Service Host.exe PID 3312 wrote to memory of 1960 3312 cmd.exe Service Host.exe PID 4948 wrote to memory of 4400 4948 Blko.exe cmd.exe PID 4948 wrote to memory of 4400 4948 Blko.exe cmd.exe PID 4400 wrote to memory of 1924 4400 cmd.exe chcp.com PID 4400 wrote to memory of 1924 4400 cmd.exe chcp.com PID 4400 wrote to memory of 2360 4400 cmd.exe netsh.exe PID 4400 wrote to memory of 2360 4400 cmd.exe netsh.exe PID 4400 wrote to memory of 3844 4400 cmd.exe findstr.exe PID 4400 wrote to memory of 3844 4400 cmd.exe findstr.exe PID 4948 wrote to memory of 1672 4948 Blko.exe cmd.exe PID 4948 wrote to memory of 1672 4948 Blko.exe cmd.exe PID 1672 wrote to memory of 4512 1672 cmd.exe chcp.com PID 1672 wrote to memory of 4512 1672 cmd.exe chcp.com PID 1672 wrote to memory of 2696 1672 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Blko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe -
outlook_win_path 1 IoCs
Processes:
Blko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe"C:\Users\Admin\AppData\Local\Temp\B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Blko.exe"C:\Users\Admin\AppData\Local\Temp\Blko.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\findstr.exefindstr All4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3B22.tmp.bat3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 49484⤵
- Kills process with taskkill
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exe"C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe"C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"'5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA609.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Service Host.exe"C:\Users\Admin\AppData\Roaming\Service Host.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exe"C:\Users\Admin\AppData\Local\Temp\Jdyfi.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exe"C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{A88148C7-A58E-426C-B020-97FB8D1E30EF}\SetupTikTokPlus.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Lmndyfrlq.exe"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe"C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"'6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE8CE.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Service Host.exe"C:\Users\Admin\AppData\Roaming\Service Host.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 475A4FA71A9D41D245C715EF0009544B C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{A88148C7-A58E-426C-B020-97FB8D1E30EF}\SetupTikTokPlus.msiFilesize
33.2MB
MD57f784ac43b811a6f648ff3c984410ca0
SHA16f1b79470facb8a4e5b47b809a663126edb802ec
SHA2567cf8f058778f9d6066a6bd579ca6e2e5e55c3f488748d2108e3b0b9a7f2de512
SHA51262aa64ce24285983dc861b31fc0f53b58f3da7b2b39f9f3e259fdd0199920a6f32e9c443f0d9a1403947d84085d435b2cfd2e02e5bbdc804ab71d0d29e485e86
-
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dllFilesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
C:\Users\Admin\AppData\Local\Temp\Blko.exeFilesize
304KB
MD5c5a1a80b17e6cdad96f21f92160e7a6d
SHA1f33bd203d5412df427b41360e217de3b72112e75
SHA256d4753222b1b400a0f8812a9ca1e1a00f646ef4b46f569e8f19eac7fec05eeac5
SHA512d8689f75683ea406da58d234f3f7ec902b0a0b29a3c43a1de0169f6db13bef4a63550d05bbebefc79dd39e2899a299a5cf920e354a2ce7cf868c235bbce0f708
-
C:\Users\Admin\AppData\Local\Temp\Blko.exeFilesize
304KB
MD5c5a1a80b17e6cdad96f21f92160e7a6d
SHA1f33bd203d5412df427b41360e217de3b72112e75
SHA256d4753222b1b400a0f8812a9ca1e1a00f646ef4b46f569e8f19eac7fec05eeac5
SHA512d8689f75683ea406da58d234f3f7ec902b0a0b29a3c43a1de0169f6db13bef4a63550d05bbebefc79dd39e2899a299a5cf920e354a2ce7cf868c235bbce0f708
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exeFilesize
32.0MB
MD5c61d02d9bc8430640de22e5873f2a95e
SHA11049789deeaa3a55a2e884d6d36a2d3199455e4c
SHA256103dfcddeaf65095d7f775314070b5dbc4cb9ecc147ff544eba00b1c15cf12d3
SHA512fd8e84f5465c37a75790004134487d9c3633bc59e985e139722a8f2e77b9b659f3f2ec85f8af59d29e570a8a49ae5dc984312102e2cdc5850a6859f290fb29b5
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exeFilesize
32.0MB
MD5c61d02d9bc8430640de22e5873f2a95e
SHA11049789deeaa3a55a2e884d6d36a2d3199455e4c
SHA256103dfcddeaf65095d7f775314070b5dbc4cb9ecc147ff544eba00b1c15cf12d3
SHA512fd8e84f5465c37a75790004134487d9c3633bc59e985e139722a8f2e77b9b659f3f2ec85f8af59d29e570a8a49ae5dc984312102e2cdc5850a6859f290fb29b5
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exeFilesize
32.8MB
MD558d4e2a29f5f12ed8a361443ef92444e
SHA1748bc7f49e5ecb818ec39897fc817ffe703c5ded
SHA256b530fa22f8e41fceecba250f3e070656a1bf470f221ebe368445948c37d5b81b
SHA51251179701ab0cd4af9cca357298db1d3fd5cc7c1225d1b050afdf25f18d240f0b3ebf867d9e0dab717aafd6e559f75742c08a5aa9a62a7ae3b3027d86f7d3ebde
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exeFilesize
32.8MB
MD558d4e2a29f5f12ed8a361443ef92444e
SHA1748bc7f49e5ecb818ec39897fc817ffe703c5ded
SHA256b530fa22f8e41fceecba250f3e070656a1bf470f221ebe368445948c37d5b81b
SHA51251179701ab0cd4af9cca357298db1d3fd5cc7c1225d1b050afdf25f18d240f0b3ebf867d9e0dab717aafd6e559f75742c08a5aa9a62a7ae3b3027d86f7d3ebde
-
C:\Users\Admin\AppData\Local\Temp\MSIDD26.tmpFilesize
153KB
MD5c90f51e8f8c547ce8a48c22ecdcf5304
SHA1b7a5831e3678693ebb254b5720a58020c0772551
SHA256226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473
SHA512ae667b38251f4ec2062a42f8238ac8391a2aed0a2833a5320d3b296347a689e59a4f442add547b6a202aea4ddcab16e3db823452e18714c69585efed0c4e9903
-
C:\Users\Admin\AppData\Local\Temp\MSIDD26.tmpFilesize
153KB
MD5c90f51e8f8c547ce8a48c22ecdcf5304
SHA1b7a5831e3678693ebb254b5720a58020c0772551
SHA256226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473
SHA512ae667b38251f4ec2062a42f8238ac8391a2aed0a2833a5320d3b296347a689e59a4f442add547b6a202aea4ddcab16e3db823452e18714c69585efed0c4e9903
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exeFilesize
32.1MB
MD529862545c340a4a0cb79600d275b75dd
SHA16be93f123bddef0727d3ed64ff82d1b91e45d68d
SHA256028be801a20513d0ca91ab1249d1695d89c4c03490d32ebd2751a8a977cf120f
SHA5122d64fb68293ad4d243410a92fee5b1723868f3454bcf4b01921ead3b76c9f4706ec79dc44ab440a5eff82de95d914deb30b04e7200c45d00d7b36aafaf29781d
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exeFilesize
32.1MB
MD529862545c340a4a0cb79600d275b75dd
SHA16be93f123bddef0727d3ed64ff82d1b91e45d68d
SHA256028be801a20513d0ca91ab1249d1695d89c4c03490d32ebd2751a8a977cf120f
SHA5122d64fb68293ad4d243410a92fee5b1723868f3454bcf4b01921ead3b76c9f4706ec79dc44ab440a5eff82de95d914deb30b04e7200c45d00d7b36aafaf29781d
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\tmp3B22.tmp.batFilesize
233B
MD5a236bf5950a4c1a52de0a62596cbd713
SHA1420d612ad33ecab3c9eaeb0bdb181e846fb9777c
SHA256126e757bc4d697d9e3a7140cdc6017aeb5f5a251907530994f5931fdd39b7b7e
SHA51250190a94a26b3d823cd67a6bee250ceb6ff669db2b4cf5bfbaf52a09c22e024b02992d1bc730538e32a399bd896cb9b24275f56277d706d77b5a128d146f8536
-
C:\Users\Admin\AppData\Local\Temp\tmpA609.tmp.batFilesize
156B
MD57e12cd9cbba28cb3730ea34b36434da4
SHA19504cf9a9a8bfecb0a315d8c18ab8fce08d4459c
SHA2560517d91faf7242a7efb40be6a901644661b62b4c55608b5abe8336b855971a0a
SHA5120b8ad0cca696ef98bb4e1589156352f3da4a2f683eca9370b524ae312d8043eefe87161a967a7f356f6aba17579cb6d72fbe7dca8b5e364f089f8f0811d4e161
-
C:\Users\Admin\AppData\Local\Temp\tmpE8CE.tmp.batFilesize
156B
MD5e5d71e4509ad3094aee82da887253393
SHA113f55bdfb233faa2b3a7a67a86dd65817805540c
SHA2560179e85db6d26ed4caabd1d57cee271a53d0df5289f508208d71fd221106e0e3
SHA5128979425d5fcd69e67dc2eec5183e371d60b2768560a930d85b99d1fcb520f405c58760075adb1457d42a89e3a84b88eeff89dfd56f73f94cc287e7c026b93bdc
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
memory/1128-156-0x0000000000000000-mapping.dmp
-
memory/1276-199-0x0000000000000000-mapping.dmp
-
memory/1300-196-0x0000000000000000-mapping.dmp
-
memory/1396-155-0x0000000000000000-mapping.dmp
-
memory/1400-163-0x0000000000000000-mapping.dmp
-
memory/1672-189-0x0000000000000000-mapping.dmp
-
memory/1848-165-0x0000000000000000-mapping.dmp
-
memory/1924-186-0x0000000000000000-mapping.dmp
-
memory/1924-162-0x0000000005400000-0x000000000549C000-memory.dmpFilesize
624KB
-
memory/1924-145-0x0000000000000000-mapping.dmp
-
memory/1924-148-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1960-192-0x0000000005D10000-0x00000000062B4000-memory.dmpFilesize
5.6MB
-
memory/1960-193-0x0000000005830000-0x0000000005896000-memory.dmpFilesize
408KB
-
memory/1960-182-0x0000000000000000-mapping.dmp
-
memory/2144-198-0x0000000000000000-mapping.dmp
-
memory/2360-187-0x0000000000000000-mapping.dmp
-
memory/2696-191-0x0000000000000000-mapping.dmp
-
memory/3312-179-0x0000000000000000-mapping.dmp
-
memory/3420-153-0x0000000000BE0000-0x0000000002BEE000-memory.dmpFilesize
32.1MB
-
memory/3420-149-0x0000000000000000-mapping.dmp
-
memory/3420-154-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/3420-161-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/3680-178-0x0000000000000000-mapping.dmp
-
memory/3844-188-0x0000000000000000-mapping.dmp
-
memory/4152-141-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/4152-132-0x0000000000F50000-0x0000000002FB6000-memory.dmpFilesize
32.4MB
-
memory/4152-133-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/4240-181-0x0000000000000000-mapping.dmp
-
memory/4376-174-0x0000000000000000-mapping.dmp
-
memory/4400-185-0x0000000000000000-mapping.dmp
-
memory/4432-164-0x0000000000000000-mapping.dmp
-
memory/4484-177-0x0000000000000000-mapping.dmp
-
memory/4512-190-0x0000000000000000-mapping.dmp
-
memory/4552-168-0x0000000000000000-mapping.dmp
-
memory/4644-171-0x0000000000000000-mapping.dmp
-
memory/4876-144-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/4876-152-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/4876-143-0x0000000000A10000-0x0000000002A28000-memory.dmpFilesize
32.1MB
-
memory/4876-138-0x0000000000000000-mapping.dmp
-
memory/4896-200-0x0000000000000000-mapping.dmp
-
memory/4948-194-0x000000001C9A0000-0x000000001CA16000-memory.dmpFilesize
472KB
-
memory/4948-195-0x000000001CA20000-0x000000001CAA4000-memory.dmpFilesize
528KB
-
memory/4948-173-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/4948-137-0x0000000000D00000-0x0000000000D50000-memory.dmpFilesize
320KB
-
memory/4948-142-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/4948-201-0x00007FFA44BA0000-0x00007FFA45661000-memory.dmpFilesize
10.8MB
-
memory/4948-134-0x0000000000000000-mapping.dmp
-
memory/5080-167-0x0000000000000000-mapping.dmp