Analysis
-
max time kernel
91s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 10:30
Static task
static1
Behavioral task
behavioral1
Sample
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe
Resource
win10v2004-20221111-en
General
-
Target
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe
-
Size
32.4MB
-
MD5
c5681f0e12aac8a5f3461b636bb03e0e
-
SHA1
7dccbceaaa2f18357746e7105c2d9a5caa75e8fa
-
SHA256
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715
-
SHA512
c72bf2510dfc7ff8ebbe769c1851c7bd068c901460820d7bbf5bbe06217f8ba0dd0e1cfab83a009f06fedc28ba7b765cc5393fa3861c39316e8a22b52941b33e
-
SSDEEP
786432:uNNuklYm9MgdaR5qAV72zEWxOUfM30wvvoO2Hum6y/E87eqzDI:u3uklYmMVfqOq46E0+277C6DI
Malware Config
Extracted
asyncrat
0.5.7B
Default
135.148.113.4:6789
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Service Host.exe
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Blko.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\Blko.exe family_stormkitty behavioral2/memory/5096-137-0x0000000000160000-0x00000000001B0000-memory.dmp family_stormkitty -
Async RAT payload 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe asyncrat behavioral2/memory/1520-148-0x0000000000960000-0x0000000000972000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Blko.exeb96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exeMkwlvmfy.exeJdyfi.exeLeeliicq.exeRapyzfeak.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Blko.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Mkwlvmfy.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Jdyfi.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Leeliicq.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Rapyzfeak.exe -
Executes dropped EXE 8 IoCs
Processes:
Blko.exeMkwlvmfy.exeLeeliicq.exeJdyfi.exeLmndyfrlq.exeRapyzfeak.exeService Host.exeService Host.exepid process 5096 Blko.exe 4308 Mkwlvmfy.exe 1520 Leeliicq.exe 2480 Jdyfi.exe 2628 Lmndyfrlq.exe 1516 Rapyzfeak.exe 3980 Service Host.exe 3776 Service Host.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 2124 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/5096-195-0x00000000207B0000-0x0000000020834000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll vmprotect -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Blko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MSIEXEC.EXEmsiexec.exedescription ioc process File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com 44 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Blko.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Blko.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Blko.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3272 schtasks.exe 3164 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 2228 timeout.exe 3464 timeout.exe 4692 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4576 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Leeliicq.exeBlko.exeRapyzfeak.exepid process 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 1520 Leeliicq.exe 5096 Blko.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 1516 Rapyzfeak.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe 5096 Blko.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Leeliicq.exeBlko.exeMSIEXEC.EXEmsiexec.exedescription pid process Token: SeDebugPrivilege 1520 Leeliicq.exe Token: SeDebugPrivilege 5096 Blko.exe Token: SeShutdownPrivilege 3016 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3016 MSIEXEC.EXE Token: SeSecurityPrivilege 2256 msiexec.exe Token: SeCreateTokenPrivilege 3016 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3016 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3016 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3016 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3016 MSIEXEC.EXE Token: SeTcbPrivilege 3016 MSIEXEC.EXE Token: SeSecurityPrivilege 3016 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3016 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3016 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3016 MSIEXEC.EXE Token: SeSystemtimePrivilege 3016 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3016 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3016 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3016 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3016 MSIEXEC.EXE Token: SeBackupPrivilege 3016 MSIEXEC.EXE Token: SeRestorePrivilege 3016 MSIEXEC.EXE Token: SeShutdownPrivilege 3016 MSIEXEC.EXE Token: SeDebugPrivilege 3016 MSIEXEC.EXE Token: SeAuditPrivilege 3016 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3016 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3016 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3016 MSIEXEC.EXE Token: SeUndockPrivilege 3016 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3016 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3016 MSIEXEC.EXE Token: SeManageVolumePrivilege 3016 MSIEXEC.EXE Token: SeImpersonatePrivilege 3016 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3016 MSIEXEC.EXE Token: SeCreateTokenPrivilege 3016 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3016 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3016 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3016 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3016 MSIEXEC.EXE Token: SeTcbPrivilege 3016 MSIEXEC.EXE Token: SeSecurityPrivilege 3016 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3016 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3016 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3016 MSIEXEC.EXE Token: SeSystemtimePrivilege 3016 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3016 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3016 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3016 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3016 MSIEXEC.EXE Token: SeBackupPrivilege 3016 MSIEXEC.EXE Token: SeRestorePrivilege 3016 MSIEXEC.EXE Token: SeShutdownPrivilege 3016 MSIEXEC.EXE Token: SeDebugPrivilege 3016 MSIEXEC.EXE Token: SeAuditPrivilege 3016 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3016 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3016 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3016 MSIEXEC.EXE Token: SeUndockPrivilege 3016 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3016 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3016 MSIEXEC.EXE Token: SeManageVolumePrivilege 3016 MSIEXEC.EXE Token: SeImpersonatePrivilege 3016 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3016 MSIEXEC.EXE Token: SeCreateTokenPrivilege 3016 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
MSIEXEC.EXEpid process 3016 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exeMkwlvmfy.exeJdyfi.exeLeeliicq.execmd.execmd.exeLmndyfrlq.exemsiexec.exeRapyzfeak.execmd.execmd.exeBlko.execmd.execmd.exedescription pid process target process PID 4576 wrote to memory of 5096 4576 b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe Blko.exe PID 4576 wrote to memory of 5096 4576 b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe Blko.exe PID 4576 wrote to memory of 4308 4576 b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe Mkwlvmfy.exe PID 4576 wrote to memory of 4308 4576 b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe Mkwlvmfy.exe PID 4308 wrote to memory of 1520 4308 Mkwlvmfy.exe Leeliicq.exe PID 4308 wrote to memory of 1520 4308 Mkwlvmfy.exe Leeliicq.exe PID 4308 wrote to memory of 1520 4308 Mkwlvmfy.exe Leeliicq.exe PID 4308 wrote to memory of 2480 4308 Mkwlvmfy.exe Jdyfi.exe PID 4308 wrote to memory of 2480 4308 Mkwlvmfy.exe Jdyfi.exe PID 2480 wrote to memory of 2628 2480 Jdyfi.exe Lmndyfrlq.exe PID 2480 wrote to memory of 2628 2480 Jdyfi.exe Lmndyfrlq.exe PID 2480 wrote to memory of 2628 2480 Jdyfi.exe Lmndyfrlq.exe PID 2480 wrote to memory of 1516 2480 Jdyfi.exe Rapyzfeak.exe PID 2480 wrote to memory of 1516 2480 Jdyfi.exe Rapyzfeak.exe PID 2480 wrote to memory of 1516 2480 Jdyfi.exe Rapyzfeak.exe PID 1520 wrote to memory of 3580 1520 Leeliicq.exe cmd.exe PID 1520 wrote to memory of 3580 1520 Leeliicq.exe cmd.exe PID 1520 wrote to memory of 3580 1520 Leeliicq.exe cmd.exe PID 1520 wrote to memory of 3572 1520 Leeliicq.exe cmd.exe PID 1520 wrote to memory of 3572 1520 Leeliicq.exe cmd.exe PID 1520 wrote to memory of 3572 1520 Leeliicq.exe cmd.exe PID 3580 wrote to memory of 3272 3580 cmd.exe schtasks.exe PID 3580 wrote to memory of 3272 3580 cmd.exe schtasks.exe PID 3580 wrote to memory of 3272 3580 cmd.exe schtasks.exe PID 3572 wrote to memory of 2228 3572 cmd.exe timeout.exe PID 3572 wrote to memory of 2228 3572 cmd.exe timeout.exe PID 3572 wrote to memory of 2228 3572 cmd.exe timeout.exe PID 3572 wrote to memory of 3980 3572 cmd.exe Service Host.exe PID 3572 wrote to memory of 3980 3572 cmd.exe Service Host.exe PID 3572 wrote to memory of 3980 3572 cmd.exe Service Host.exe PID 2628 wrote to memory of 3016 2628 Lmndyfrlq.exe MSIEXEC.EXE PID 2628 wrote to memory of 3016 2628 Lmndyfrlq.exe MSIEXEC.EXE PID 2628 wrote to memory of 3016 2628 Lmndyfrlq.exe MSIEXEC.EXE PID 2256 wrote to memory of 2124 2256 msiexec.exe MsiExec.exe PID 2256 wrote to memory of 2124 2256 msiexec.exe MsiExec.exe PID 2256 wrote to memory of 2124 2256 msiexec.exe MsiExec.exe PID 1516 wrote to memory of 1900 1516 Rapyzfeak.exe cmd.exe PID 1516 wrote to memory of 1900 1516 Rapyzfeak.exe cmd.exe PID 1516 wrote to memory of 1900 1516 Rapyzfeak.exe cmd.exe PID 1900 wrote to memory of 3164 1900 cmd.exe schtasks.exe PID 1900 wrote to memory of 3164 1900 cmd.exe schtasks.exe PID 1900 wrote to memory of 3164 1900 cmd.exe schtasks.exe PID 1516 wrote to memory of 4580 1516 Rapyzfeak.exe cmd.exe PID 1516 wrote to memory of 4580 1516 Rapyzfeak.exe cmd.exe PID 1516 wrote to memory of 4580 1516 Rapyzfeak.exe cmd.exe PID 4580 wrote to memory of 3464 4580 cmd.exe timeout.exe PID 4580 wrote to memory of 3464 4580 cmd.exe timeout.exe PID 4580 wrote to memory of 3464 4580 cmd.exe timeout.exe PID 4580 wrote to memory of 3776 4580 cmd.exe Service Host.exe PID 4580 wrote to memory of 3776 4580 cmd.exe Service Host.exe PID 4580 wrote to memory of 3776 4580 cmd.exe Service Host.exe PID 5096 wrote to memory of 2656 5096 Blko.exe cmd.exe PID 5096 wrote to memory of 2656 5096 Blko.exe cmd.exe PID 2656 wrote to memory of 3796 2656 cmd.exe chcp.com PID 2656 wrote to memory of 3796 2656 cmd.exe chcp.com PID 2656 wrote to memory of 2592 2656 cmd.exe netsh.exe PID 2656 wrote to memory of 2592 2656 cmd.exe netsh.exe PID 2656 wrote to memory of 3140 2656 cmd.exe findstr.exe PID 2656 wrote to memory of 3140 2656 cmd.exe findstr.exe PID 5096 wrote to memory of 2488 5096 Blko.exe cmd.exe PID 5096 wrote to memory of 2488 5096 Blko.exe cmd.exe PID 2488 wrote to memory of 2584 2488 cmd.exe chcp.com PID 2488 wrote to memory of 2584 2488 cmd.exe chcp.com PID 2488 wrote to memory of 3932 2488 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Blko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe -
outlook_win_path 1 IoCs
Processes:
Blko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blko.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe"C:\Users\Admin\AppData\Local\Temp\b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Blko.exe"C:\Users\Admin\AppData\Local\Temp\Blko.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\findstr.exefindstr All4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp14CD.tmp.bat3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 50964⤵
- Kills process with taskkill
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exe"C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe"C:\Users\Admin\AppData\Local\Temp\Leeliicq.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"'5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E89.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Service Host.exe"C:\Users\Admin\AppData\Roaming\Service Host.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exe"C:\Users\Admin\AppData\Local\Temp\Jdyfi.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exe"C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{A88148C7-A58E-426C-B020-97FB8D1E30EF}\SetupTikTokPlus.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Lmndyfrlq.exe"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe"C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"'6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Service Host.exe"C:\Users\Admin\AppData\Roaming\Service Host.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D4EAE95FC1433B3C6CADA0998A8D2B72 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{A88148C7-A58E-426C-B020-97FB8D1E30EF}\SetupTikTokPlus.msiFilesize
33.2MB
MD57f784ac43b811a6f648ff3c984410ca0
SHA16f1b79470facb8a4e5b47b809a663126edb802ec
SHA2567cf8f058778f9d6066a6bd579ca6e2e5e55c3f488748d2108e3b0b9a7f2de512
SHA51262aa64ce24285983dc861b31fc0f53b58f3da7b2b39f9f3e259fdd0199920a6f32e9c443f0d9a1403947d84085d435b2cfd2e02e5bbdc804ab71d0d29e485e86
-
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dllFilesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
C:\Users\Admin\AppData\Local\Temp\Blko.exeFilesize
304KB
MD5c5a1a80b17e6cdad96f21f92160e7a6d
SHA1f33bd203d5412df427b41360e217de3b72112e75
SHA256d4753222b1b400a0f8812a9ca1e1a00f646ef4b46f569e8f19eac7fec05eeac5
SHA512d8689f75683ea406da58d234f3f7ec902b0a0b29a3c43a1de0169f6db13bef4a63550d05bbebefc79dd39e2899a299a5cf920e354a2ce7cf868c235bbce0f708
-
C:\Users\Admin\AppData\Local\Temp\Blko.exeFilesize
304KB
MD5c5a1a80b17e6cdad96f21f92160e7a6d
SHA1f33bd203d5412df427b41360e217de3b72112e75
SHA256d4753222b1b400a0f8812a9ca1e1a00f646ef4b46f569e8f19eac7fec05eeac5
SHA512d8689f75683ea406da58d234f3f7ec902b0a0b29a3c43a1de0169f6db13bef4a63550d05bbebefc79dd39e2899a299a5cf920e354a2ce7cf868c235bbce0f708
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exeFilesize
32.0MB
MD5c61d02d9bc8430640de22e5873f2a95e
SHA11049789deeaa3a55a2e884d6d36a2d3199455e4c
SHA256103dfcddeaf65095d7f775314070b5dbc4cb9ecc147ff544eba00b1c15cf12d3
SHA512fd8e84f5465c37a75790004134487d9c3633bc59e985e139722a8f2e77b9b659f3f2ec85f8af59d29e570a8a49ae5dc984312102e2cdc5850a6859f290fb29b5
-
C:\Users\Admin\AppData\Local\Temp\Jdyfi.exeFilesize
32.0MB
MD5c61d02d9bc8430640de22e5873f2a95e
SHA11049789deeaa3a55a2e884d6d36a2d3199455e4c
SHA256103dfcddeaf65095d7f775314070b5dbc4cb9ecc147ff544eba00b1c15cf12d3
SHA512fd8e84f5465c37a75790004134487d9c3633bc59e985e139722a8f2e77b9b659f3f2ec85f8af59d29e570a8a49ae5dc984312102e2cdc5850a6859f290fb29b5
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Leeliicq.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exeFilesize
32.8MB
MD558d4e2a29f5f12ed8a361443ef92444e
SHA1748bc7f49e5ecb818ec39897fc817ffe703c5ded
SHA256b530fa22f8e41fceecba250f3e070656a1bf470f221ebe368445948c37d5b81b
SHA51251179701ab0cd4af9cca357298db1d3fd5cc7c1225d1b050afdf25f18d240f0b3ebf867d9e0dab717aafd6e559f75742c08a5aa9a62a7ae3b3027d86f7d3ebde
-
C:\Users\Admin\AppData\Local\Temp\Lmndyfrlq.exeFilesize
32.8MB
MD558d4e2a29f5f12ed8a361443ef92444e
SHA1748bc7f49e5ecb818ec39897fc817ffe703c5ded
SHA256b530fa22f8e41fceecba250f3e070656a1bf470f221ebe368445948c37d5b81b
SHA51251179701ab0cd4af9cca357298db1d3fd5cc7c1225d1b050afdf25f18d240f0b3ebf867d9e0dab717aafd6e559f75742c08a5aa9a62a7ae3b3027d86f7d3ebde
-
C:\Users\Admin\AppData\Local\Temp\MSIBC5F.tmpFilesize
153KB
MD5c90f51e8f8c547ce8a48c22ecdcf5304
SHA1b7a5831e3678693ebb254b5720a58020c0772551
SHA256226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473
SHA512ae667b38251f4ec2062a42f8238ac8391a2aed0a2833a5320d3b296347a689e59a4f442add547b6a202aea4ddcab16e3db823452e18714c69585efed0c4e9903
-
C:\Users\Admin\AppData\Local\Temp\MSIBC5F.tmpFilesize
153KB
MD5c90f51e8f8c547ce8a48c22ecdcf5304
SHA1b7a5831e3678693ebb254b5720a58020c0772551
SHA256226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473
SHA512ae667b38251f4ec2062a42f8238ac8391a2aed0a2833a5320d3b296347a689e59a4f442add547b6a202aea4ddcab16e3db823452e18714c69585efed0c4e9903
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exeFilesize
32.1MB
MD529862545c340a4a0cb79600d275b75dd
SHA16be93f123bddef0727d3ed64ff82d1b91e45d68d
SHA256028be801a20513d0ca91ab1249d1695d89c4c03490d32ebd2751a8a977cf120f
SHA5122d64fb68293ad4d243410a92fee5b1723868f3454bcf4b01921ead3b76c9f4706ec79dc44ab440a5eff82de95d914deb30b04e7200c45d00d7b36aafaf29781d
-
C:\Users\Admin\AppData\Local\Temp\Mkwlvmfy.exeFilesize
32.1MB
MD529862545c340a4a0cb79600d275b75dd
SHA16be93f123bddef0727d3ed64ff82d1b91e45d68d
SHA256028be801a20513d0ca91ab1249d1695d89c4c03490d32ebd2751a8a977cf120f
SHA5122d64fb68293ad4d243410a92fee5b1723868f3454bcf4b01921ead3b76c9f4706ec79dc44ab440a5eff82de95d914deb30b04e7200c45d00d7b36aafaf29781d
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\Rapyzfeak.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Local\Temp\tmp14CD.tmp.batFilesize
233B
MD5c423d0f8df6c865cff397526ba0e6598
SHA16b7875d0b1547327e2b7e0c30d3db6e1d2b20938
SHA256e7ec72fe22819eedb117b5baef76d40312112c3d527cf7ef195f53f9322d7b6d
SHA512cfe34afab1fd1092cfc2f3078b1ef17f6320340e50a01ac4e5159925a7b909dc6fa6f9f31f33ba0bc22930faa601c8fe5d9260bb0ab3dd84abfb151f727084f1
-
C:\Users\Admin\AppData\Local\Temp\tmp8E89.tmp.batFilesize
156B
MD59602e53b3791753d49138d8a7703e159
SHA11a129cbeb46752ad8816b4a2f9b762a7105b510d
SHA256b14d1bcda9fe9c58f84548d639c19e6961859842ccb281104b47655f86655917
SHA5122004d9b552d2624ef0fe4545746c5b092941533bdbb62ae556c2f624afb2a438919a34e21ea5dc386658f46246aa857e499ee1f3abbc41e10a20359fbda05197
-
C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.batFilesize
156B
MD5766df440154ae68c4f420286228bab68
SHA19f763f9b43e33bd28ca3af7c68473b947551f22a
SHA256496f310947777f27c2e872f933c3283e94e62562429c3bae68d28b77fbf7d6fb
SHA512894f24a865fd2ad8f1ddc9972dba17ae9a443ce4a2c3e8038a1edde2fb75cf10c0ff5dbf9ceb6eee84b6e0824e78b9f49d72070e7cf6e627977a4a7120f42595
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
memory/1516-156-0x0000000000000000-mapping.dmp
-
memory/1520-162-0x00000000053F0000-0x000000000548C000-memory.dmpFilesize
624KB
-
memory/1520-148-0x0000000000960000-0x0000000000972000-memory.dmpFilesize
72KB
-
memory/1520-145-0x0000000000000000-mapping.dmp
-
memory/1900-177-0x0000000000000000-mapping.dmp
-
memory/2124-174-0x0000000000000000-mapping.dmp
-
memory/2228-167-0x0000000000000000-mapping.dmp
-
memory/2236-198-0x0000000000000000-mapping.dmp
-
memory/2356-196-0x0000000000000000-mapping.dmp
-
memory/2480-161-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/2480-149-0x0000000000000000-mapping.dmp
-
memory/2480-153-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/2480-154-0x0000000000730000-0x000000000273E000-memory.dmpFilesize
32.1MB
-
memory/2488-189-0x0000000000000000-mapping.dmp
-
memory/2584-190-0x0000000000000000-mapping.dmp
-
memory/2592-187-0x0000000000000000-mapping.dmp
-
memory/2628-155-0x0000000000000000-mapping.dmp
-
memory/2656-185-0x0000000000000000-mapping.dmp
-
memory/3016-172-0x0000000000000000-mapping.dmp
-
memory/3140-188-0x0000000000000000-mapping.dmp
-
memory/3164-178-0x0000000000000000-mapping.dmp
-
memory/3272-165-0x0000000000000000-mapping.dmp
-
memory/3464-181-0x0000000000000000-mapping.dmp
-
memory/3572-164-0x0000000000000000-mapping.dmp
-
memory/3580-163-0x0000000000000000-mapping.dmp
-
memory/3776-182-0x0000000000000000-mapping.dmp
-
memory/3776-193-0x0000000005030000-0x0000000005096000-memory.dmpFilesize
408KB
-
memory/3776-192-0x00000000058E0000-0x0000000005E84000-memory.dmpFilesize
5.6MB
-
memory/3796-186-0x0000000000000000-mapping.dmp
-
memory/3932-191-0x0000000000000000-mapping.dmp
-
memory/3980-169-0x0000000000000000-mapping.dmp
-
memory/4308-139-0x0000000000000000-mapping.dmp
-
memory/4308-152-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/4308-143-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/4308-144-0x0000000000A80000-0x0000000002A98000-memory.dmpFilesize
32.1MB
-
memory/4576-132-0x00000000003D0000-0x0000000002436000-memory.dmpFilesize
32.4MB
-
memory/4576-142-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/4576-199-0x0000000000000000-mapping.dmp
-
memory/4576-133-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/4580-179-0x0000000000000000-mapping.dmp
-
memory/4692-200-0x0000000000000000-mapping.dmp
-
memory/5096-194-0x00000000206A0000-0x0000000020716000-memory.dmpFilesize
472KB
-
memory/5096-195-0x00000000207B0000-0x0000000020834000-memory.dmpFilesize
528KB
-
memory/5096-168-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/5096-138-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/5096-137-0x0000000000160000-0x00000000001B0000-memory.dmpFilesize
320KB
-
memory/5096-201-0x00007FF8968C0000-0x00007FF897381000-memory.dmpFilesize
10.8MB
-
memory/5096-134-0x0000000000000000-mapping.dmp