guloader | c18236bbfdf439b697501aaba8a7f8878902d412e2aa0f23df20161eb500f158

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NTS_eTaxInvoice 3-2-2023·pdf.exe
Size

332KB
MD5

a8cd6b4bb8c742162581ed1a314cfe9f
SHA1

dfc294e2ff0938e470621cbe35fecbf5eb75c631
SHA256

c18236bbfdf439b697501aaba8a7f8878902d412e2aa0f23df20161eb500f158
SHA512

cfe27e7ec63881b64b431275cd59995850e13f7d9dba99c8f69c34462610805149246c78a30f7c62e9aa3533b8c7e1143f9e9705c1142c416ce07a2baecf5345
SSDEEP

6144:twq3NpWyFr7S0HFwnNHF6KzMw4y7H2C00LUfGAqOolFhNHdKCeebZRueNk8K:tzayFfDwNgoMAz5UfGaMhNQ/6ZRueZK

Score

10^/10

guloader nanocore collection downloader evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

masterpat0nms672ns.duckdns.org:3498

Mutex

e277811f-20a3-49b6-ae15-cbb22e96ee2f

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2022-11-13T22:04:22.529311336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3498
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e277811f-20a3-49b6-ae15-cbb22e96ee2f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
masterpat0nms672ns.duckdns.org
primary_dns_server
masterpat0nms672ns.duckdns.org
request_elevation
true
restart_delay
5000
run_delay
15
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3060-160-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3060-162-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3060-163-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3060-164-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3060-160-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3060-162-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3060-163-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3060-164-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Checks QEMU agent file 2 TTPs 4 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NTS_eTaxInvoice 3-2-2023·pdf.execaspol.exeTask Manager.exeTask Manager.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	NTS_eTaxInvoice 3-2-2023·pdf.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Task Manager.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Task Manager.exe

Executes dropped EXE 1 IoCs

Processes:

Task Manager.exe

pid process

3680 Task Manager.exe
Loads dropped DLL 3 IoCs

Processes:

NTS_eTaxInvoice 3-2-2023·pdf.exeTask Manager.exeTask Manager.exe

pid process

5056 NTS_eTaxInvoice 3-2-2023·pdf.exe
3680 Task Manager.exe
3632 Task Manager.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3680	Task Manager.exe

pid	process
5056	NTS_eTaxInvoice 3-2-2023·pdf.exe
3680	Task Manager.exe
3632	Task Manager.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Task Manager.execaspol.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Task Manager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Windows.exe"	Task Manager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	caspol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Windows.exe"	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

Processes:

caspol.exeTask Manager.exe

pid process

3848 caspol.exe
3632 Task Manager.exe
3632 Task Manager.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

NTS_eTaxInvoice 3-2-2023·pdf.execaspol.exeTask Manager.exeTask Manager.exe

pid process

5056 NTS_eTaxInvoice 3-2-2023·pdf.exe
3848 caspol.exe
3680 Task Manager.exe
3632 Task Manager.exe

pid	process
5056	NTS_eTaxInvoice 3-2-2023·pdf.exe
3848	caspol.exe
3680	Task Manager.exe
3632	Task Manager.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

NTS_eTaxInvoice 3-2-2023·pdf.execaspol.exeTask Manager.exe

description	pid	process	target process
PID 5056 set thread context of 3848	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 3848 set thread context of 3060	3848	caspol.exe	vbc.exe
PID 3848 set thread context of 5116	3848	caspol.exe	vbc.exe
PID 3680 set thread context of 3632	3680	Task Manager.exe	Task Manager.exe

Drops file in Program Files directory 2 IoCs

Processes:

NTS_eTaxInvoice 3-2-2023·pdf.exeTask Manager.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\birdbath\Telamon.God	NTS_eTaxInvoice 3-2-2023·pdf.exe
File opened for modification	C:\Program Files (x86)\birdbath\Telamon.God	Task Manager.exe

Drops file in Windows directory 4 IoCs

Processes:

NTS_eTaxInvoice 3-2-2023·pdf.exeTask Manager.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Hyperborean\tylostylote.ini	NTS_eTaxInvoice 3-2-2023·pdf.exe
File opened for modification	C:\Windows\resources\0409\Unconfected.Irr	NTS_eTaxInvoice 3-2-2023·pdf.exe
File opened for modification	C:\Windows\Fonts\Hyperborean\tylostylote.ini	Task Manager.exe
File opened for modification	C:\Windows\resources\0409\Unconfected.Irr	Task Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1900 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4040 reg.exe

pid	process
1900	schtasks.exe

pid	process
4040	reg.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

caspol.exevbc.exe

pid	process
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
5116	vbc.exe
5116	vbc.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe
3848	caspol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

caspol.exe

pid process

3848 caspol.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

NTS_eTaxInvoice 3-2-2023·pdf.exeTask Manager.exe

pid process

5056 NTS_eTaxInvoice 3-2-2023·pdf.exe
5056 NTS_eTaxInvoice 3-2-2023·pdf.exe
5056 NTS_eTaxInvoice 3-2-2023·pdf.exe
3680 Task Manager.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

Task Manager.exe

pid process

3680 Task Manager.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

caspol.exe

description pid process

Token: SeDebugPrivilege 3848 caspol.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Task Manager.exe

pid process

3632 Task Manager.exe

pid	process
5056	NTS_eTaxInvoice 3-2-2023·pdf.exe
5056	NTS_eTaxInvoice 3-2-2023·pdf.exe
5056	NTS_eTaxInvoice 3-2-2023·pdf.exe
3680	Task Manager.exe

pid	process
3680	Task Manager.exe

description	pid	process
Token: SeDebugPrivilege	3848	caspol.exe

pid	process
3632	Task Manager.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

NTS_eTaxInvoice 3-2-2023·pdf.execaspol.exeTask Manager.exeTask Manager.execmd.exe

description	pid	process	target process
PID 5056 wrote to memory of 3836	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3836	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3836	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3736	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3736	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3736	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3848	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3848	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3848	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 5056 wrote to memory of 3848	5056	NTS_eTaxInvoice 3-2-2023·pdf.exe	caspol.exe
PID 3848 wrote to memory of 1900	3848	caspol.exe	schtasks.exe
PID 3848 wrote to memory of 1900	3848	caspol.exe	schtasks.exe
PID 3848 wrote to memory of 1900	3848	caspol.exe	schtasks.exe
PID 3848 wrote to memory of 3680	3848	caspol.exe	Task Manager.exe
PID 3848 wrote to memory of 3680	3848	caspol.exe	Task Manager.exe
PID 3848 wrote to memory of 3680	3848	caspol.exe	Task Manager.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 3060	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3848 wrote to memory of 5116	3848	caspol.exe	vbc.exe
PID 3680 wrote to memory of 3632	3680	Task Manager.exe	Task Manager.exe
PID 3680 wrote to memory of 3632	3680	Task Manager.exe	Task Manager.exe
PID 3680 wrote to memory of 3632	3680	Task Manager.exe	Task Manager.exe
PID 3680 wrote to memory of 3632	3680	Task Manager.exe	Task Manager.exe
PID 3632 wrote to memory of 4976	3632	Task Manager.exe	cmd.exe
PID 3632 wrote to memory of 4976	3632	Task Manager.exe	cmd.exe
PID 3632 wrote to memory of 4976	3632	Task Manager.exe	cmd.exe
PID 4976 wrote to memory of 4040	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4040	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4040	4976	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\NTS_eTaxInvoice 3-2-2023·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\NTS_eTaxInvoice 3-2-2023·pdf.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\NTS_eTaxInvoice 3-2-2023·pdf.exe"
2⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\NTS_eTaxInvoice 3-2-2023·pdf.exe"
2⤵
PID:3736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\NTS_eTaxInvoice 3-2-2023·pdf.exe"
2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC69C.tmp"
3⤵
- Creates scheduled task(s)
PID:1900

C:\Users\Admin\AppData\Local\Temp\Task Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Task Manager.exe"
3⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\Task Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Task Manager.exe"
4⤵
- Checks QEMU agent file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- UAC bypass
- Modifies registry key
PID:4040

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\5wjr11n0.2fw"
3⤵
- Accesses Microsoft Outlook accounts
PID:3060

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\mtutnleo.kym"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
afc9592808b63a02ee9161e60522a972

SHA1
9c6c3c65c24cae0e34bed98b389d6fb3c23c3ed9

SHA256
beaab3e30a065d9766a8a3c4341df70519e678336bf873b88cb20259687a5d77

SHA512
a61126003b256d28b2ad628e72a229ac2ac8ed13623000644f21418e21773e74f67792f498a6abb4188e0bfd3f2e3c029c04ef4093c6f712d7316256dd2e0c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6
Filesize
472B

MD5
0c15fd84f4711d994724c35236542194

SHA1
c47d77fe5b373a86bd9a116bd8baac07ec746add

SHA256
a210a4599baaa980674b456f020282cd470559b319be263fdcf9eaec7cff0d3b

SHA512
a82153561a40444b1ced7c6311f48ce89ba1a23fe3391ffe3e00da530448d6d2e197ee69e1669c7e4f3a8c418dd69d43e1975faa840150bd703fcf8f8587b607

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_968B2CF3BEA8ABEBC14616E81955A26C
Filesize
472B

MD5
1c56c7c141fbb2647e4909546c5ee1ac

SHA1
bf1479b20c78d135ce6397b0bff0e6573a3bcbef

SHA256
30cd3ac555fa6d8d5a5a1165b9ff3b78336c0c3c44e22f034879869a99f61043

SHA512
905107e0cf07f330f416dff78db7dd7e2a0657c20702529b4bb881a2afecfa966c23bd4284837d148735af5bf261410572d3c6a8ff1320497729353948b7c68d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
92d652a47715a8b1194721bb33acafa9

SHA1
7cbc98667c0c0cbb6174d0dc24a63004a1337566

SHA256
1954ddde889d13e424c3b3a4cddd68be6bee9530f64947ec7023fb3c39289cf4

SHA512
0b1a04bb91f805d09969773854dbc4395dac05e461f0274757b1627d05fc42577abea864156d8c7b8d02a8351a10cd10015d95965566de2463aefd8b7005c522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6
Filesize
402B

MD5
9133af101055af8f9ad762143d37e3bf

SHA1
ced8aba7d950656858252ee5cceb1f19c7d38e0e

SHA256
69698023749a314d13685c49855556107d6fd054b873992e91b8a593325d19aa

SHA512
f642ee94eb2bc912fe1d9e0eb7c0993ba4f407aeaf2fab8a747d94d12d60580fc26ff798bd3aedc095477f3841618cbc6180dfaba6711758dc881c7042562c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
749682916d9680eb36f46eafcd239a39

SHA1
3244003ff96a3c721c8dfb95c8d13cea46b3ddf1

SHA256
ccc0a0a4035f1f40918c45243ce6ca15fcb65ecb506c35ff6162b32a75aa3790

SHA512
3b9a7909fd6719f034a8643833b62820ba43e930d75459375f08590db4119d2fc84568de17686fa772ed639898f37f10c28cca4aa24bea160d4b269a681db0d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_968B2CF3BEA8ABEBC14616E81955A26C
Filesize
402B

MD5
106f50de21aede0d143ae6959cef8f50

SHA1
a18eed7843ae3e7fd45d7ecba12e1f83cbda3fdf

SHA256
564234cc1b670b3f28704e05d073e803bdf03c85c8db7094bd961c54b2631ee4

SHA512
8f4647d2d57310db9c7721bae0a3a94201973206e2a951d7e3988e396ef53ae141cbbd373e5f5e75fd3ee85bc71f1d3d6c750c00f96048dd70ec85939cfab8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wjr11n0.2fw
Filesize
523B

MD5
69b2a2e17e78d24abee9f1de2f04811a

SHA1
d19c109704e83876ab3527457f9418a7d053aa33

SHA256
1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd

SHA512
eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Task Manager.exe
Filesize
312KB

MD5
84ebd0f8c1164671adeb45fec366fceb

SHA1
3a8949eeb81ac258c515ecc576851d8913b25112

SHA256
b340007dcf7766488ee48d7ddbda0db90b00813cbcb0e8315952d98e95c4b54f

SHA512
7521a7147c846b06e838ad3af4be6f2b02d0899e04c090672f20e63ab5f644fff2cbaecdd98730a12786a2776ec3ca4888fe40f351a49427a3e59ceebb0df545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Task Manager.exe
Filesize
312KB

MD5
84ebd0f8c1164671adeb45fec366fceb

SHA1
3a8949eeb81ac258c515ecc576851d8913b25112

SHA256
b340007dcf7766488ee48d7ddbda0db90b00813cbcb0e8315952d98e95c4b54f

SHA512
7521a7147c846b06e838ad3af4be6f2b02d0899e04c090672f20e63ab5f644fff2cbaecdd98730a12786a2776ec3ca4888fe40f351a49427a3e59ceebb0df545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Task Manager.exe
Filesize
312KB

MD5
84ebd0f8c1164671adeb45fec366fceb

SHA1
3a8949eeb81ac258c515ecc576851d8913b25112

SHA256
b340007dcf7766488ee48d7ddbda0db90b00813cbcb0e8315952d98e95c4b54f

SHA512
7521a7147c846b06e838ad3af4be6f2b02d0899e04c090672f20e63ab5f644fff2cbaecdd98730a12786a2776ec3ca4888fe40f351a49427a3e59ceebb0df545

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtutnleo.kym
Filesize
3KB

MD5
02524418240369b25b988e9884cd1c54

SHA1
42a33322d952edf6d8431d4cd788bbc863d2b890

SHA256
80b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37

SHA512
7c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv129B.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvD6BF.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder1\Windows.exe
Filesize
332KB

MD5
afcdb1a552f235281bb6d673b1cf912b

SHA1
776986c3b0fe0508a7aaab0611e069efc430d1c0

SHA256
6d603908ad40f3526caf1e86a17b288696686d742d281484c2961e27cc707656

SHA512
035ada0fb75ae5a968d967be8cc8d916c41e926e9cf3693a18e7a57c9533f85fa7e0e7f024d17ff947640536dac2ba8f4d8f4679b86dfc8d8f7f6e819d712f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC69C.tmp
Filesize
1KB

MD5
497f298fc157762f192a7c42854c6fb6

SHA1
04bec630f5cc64ea17c0e3e780b3ccf15a35c6e0

SHA256
3462cbe62fbb64fc53a0fcf97e43baafe9dd9929204f586a86afe4b89d8048a6

SHA512
c7c6fd3097f4d1ccd313160fedf7cb031644e0836b8c3e25481095e5f4b003759bc84fc6ea9421e3a090e66dc2ff875fec2f394a386691ab178cb164733411b2

Download Submit
memory/1900-148-0x0000000000000000-mapping.dmp

Download
memory/3060-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-164-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-160-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-159-0x0000000000000000-mapping.dmp

Download
memory/3060-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3632-184-0x00000000779F0000-0x0000000077B93000-memory.dmp

Filesize
1.6MB

Download
memory/3632-183-0x0000000001660000-0x0000000002800000-memory.dmp

Filesize
17.6MB

Download
memory/3632-181-0x00007FF9B5E30000-0x00007FF9B6025000-memory.dmp

Filesize
2.0MB

Download
memory/3632-180-0x0000000001660000-0x0000000002800000-memory.dmp

Filesize
17.6MB

Download
memory/3632-178-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3632-176-0x0000000000000000-mapping.dmp

Download
memory/3680-174-0x00007FF9B5E30000-0x00007FF9B6025000-memory.dmp

Filesize
2.0MB

Download
memory/3680-173-0x0000000004AC0000-0x0000000005C60000-memory.dmp

Filesize
17.6MB

Download
memory/3680-154-0x0000000000000000-mapping.dmp

Download
memory/3680-179-0x00000000779F0000-0x0000000077B93000-memory.dmp

Filesize
1.6MB

Download
memory/3680-158-0x0000000004AC0000-0x0000000005C60000-memory.dmp

Filesize
17.6MB

Download
memory/3680-175-0x00000000779F0000-0x0000000077B93000-memory.dmp

Filesize
1.6MB

Download
memory/3848-143-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3848-144-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3848-146-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3848-137-0x0000000000000000-mapping.dmp

Download
memory/3848-152-0x00000000779F0000-0x0000000077B93000-memory.dmp

Filesize
1.6MB

Download
memory/3848-139-0x0000000000C30000-0x0000000001CBF000-memory.dmp

Filesize
16.6MB

Download
memory/3848-140-0x00007FF9B5E30000-0x00007FF9B6025000-memory.dmp

Filesize
2.0MB

Download
memory/3848-142-0x0000000000C30000-0x0000000001CBF000-memory.dmp

Filesize
16.6MB

Download
memory/3848-147-0x0000000072EF0000-0x00000000734A1000-memory.dmp

Filesize
5.7MB

Download
memory/3848-153-0x0000000072EF0000-0x00000000734A1000-memory.dmp

Filesize
5.7MB

Download
memory/3848-141-0x00000000779F0000-0x0000000077B93000-memory.dmp

Filesize
1.6MB

Download
memory/3848-151-0x00007FF9B5E30000-0x00007FF9B6025000-memory.dmp

Filesize
2.0MB

Download
memory/4040-194-0x0000000000000000-mapping.dmp

Download
memory/4976-193-0x0000000000000000-mapping.dmp

Download
memory/5056-135-0x00007FF9B5E30000-0x00007FF9B6025000-memory.dmp

Filesize
2.0MB

Download
memory/5056-150-0x00000000779F0000-0x0000000077B93000-memory.dmp

Filesize
1.6MB

Download
memory/5056-133-0x0000000004B00000-0x0000000005B8F000-memory.dmp

Filesize
16.6MB

Download
memory/5056-138-0x00000000779F0000-0x0000000077B93000-memory.dmp

Filesize
1.6MB

Download
memory/5056-134-0x0000000004B00000-0x0000000005B8F000-memory.dmp

Filesize
16.6MB

Download
memory/5056-136-0x00000000779F0000-0x0000000077B93000-memory.dmp

Filesize
1.6MB

Download
memory/5116-167-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5116-170-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5116-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5116-166-0x0000000000000000-mapping.dmp

Download
memory/5116-171-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download