orcus | ec4d4e355c7385b42fb551ec97b30aace1b8e46ab647e1e5861b27b5032be642

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-02-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe
Size

12KB
MD5

aba5075740d61e0655ae593bd41c12ed
SHA1

e7b240e772dd8b1101612602cf1b36da5d64ba16
SHA256

b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7
SHA512

e2569bf4380e8d832c5b91de45ca228446ec600e37ae1ce27b5056fce309f639ac1a4df4a7e09018e694c90478e1c57652beef4c037f1d5d4e94ee6a68807553
SSDEEP

192:UmeH0viGnxDuZ04FBKlTav2r6zWKhVHL2mpH/2mfLA9zxIWNXzya:DeKhDuZ04rCav2rElhVHLRpH/RTAbdzr

Score

10^/10

orcus stormkitty sln persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Sln

193.138.195.211:10134

Mutex

eaf050d367294b239fe7db992d6ea4d7

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svc host
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 6 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.exe	family_orcus
C:\Windows\svchost.exe	family_orcus
\Program Files (x86)\svchost.exe	family_orcus
C:\Program Files (x86)\svchost.exe	family_orcus
C:\Program Files (x86)\svchost.exe	family_orcus
C:\Program Files (x86)\svchost.exe	family_orcus

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1536-80-0x0000000000B80000-0x0000000000B9E000-memory.dmp	family_stormkitty

Orcurs Rat Executable 8 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.exe	orcus
C:\Windows\svchost.exe	orcus
behavioral1/memory/1536-75-0x0000000000C70000-0x0000000000F78000-memory.dmp	orcus
\Program Files (x86)\svchost.exe	orcus
C:\Program Files (x86)\svchost.exe	orcus
behavioral1/memory/984-94-0x00000000008E0000-0x0000000000BE8000-memory.dmp	orcus
C:\Program Files (x86)\svchost.exe	orcus
C:\Program Files (x86)\svchost.exe	orcus

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

svchost.exeWindowsInput.exeWindowsInput.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

1536 svchost.exe
1932 WindowsInput.exe
684 WindowsInput.exe
984 svchost.exe
544 svchost.exe
1744 svchost.exe
932 svchost.exe
Loads dropped DLL 7 IoCs

Processes:

svchost.exesvchost.exe

pid process

1536 svchost.exe
1536 svchost.exe
984 svchost.exe
984 svchost.exe
984 svchost.exe
984 svchost.exe
984 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1536	svchost.exe
1932	WindowsInput.exe
684	WindowsInput.exe
984	svchost.exe
544	svchost.exe
1744	svchost.exe
932	svchost.exe

pid	process
1536	svchost.exe
1536	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files (x86)\\svchost.exe\""	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
14 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
9	ip-api.com
14	icanhazip.com

Drops file in System32 directory 3 IoCs

Processes:

svchost.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	svchost.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	svchost.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 4 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\svchost.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\svchost.exe	svchost.exe
File created	C:\Program Files (x86)\svchost.exe.config	svchost.exe
File created	C:\Program Files (x86)\Ionic.Zip.dll	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe

description ioc process

File created C:\Windows\svchost.exe b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\svchost.exe	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesvchost.exe

pid	process
1720	powershell.exe
1280	powershell.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe
984	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeb43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe
Token: SeDebugPrivilege	984	svchost.exe
Token: SeDebugPrivilege	1744	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.execsc.exesvchost.exetaskeng.exesvchost.execmd.execmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 1192	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	csc.exe
PID 1784 wrote to memory of 1192	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	csc.exe
PID 1784 wrote to memory of 1192	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	csc.exe
PID 1784 wrote to memory of 1192	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	csc.exe
PID 1192 wrote to memory of 864	1192	csc.exe	cvtres.exe
PID 1192 wrote to memory of 864	1192	csc.exe	cvtres.exe
PID 1192 wrote to memory of 864	1192	csc.exe	cvtres.exe
PID 1192 wrote to memory of 864	1192	csc.exe	cvtres.exe
PID 1784 wrote to memory of 1720	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	powershell.exe
PID 1784 wrote to memory of 1720	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	powershell.exe
PID 1784 wrote to memory of 1720	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	powershell.exe
PID 1784 wrote to memory of 1720	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	powershell.exe
PID 1784 wrote to memory of 1280	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	powershell.exe
PID 1784 wrote to memory of 1280	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	powershell.exe
PID 1784 wrote to memory of 1280	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	powershell.exe
PID 1784 wrote to memory of 1280	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	powershell.exe
PID 1784 wrote to memory of 1536	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	svchost.exe
PID 1784 wrote to memory of 1536	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	svchost.exe
PID 1784 wrote to memory of 1536	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	svchost.exe
PID 1784 wrote to memory of 1536	1784	b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe	svchost.exe
PID 1536 wrote to memory of 1932	1536	svchost.exe	WindowsInput.exe
PID 1536 wrote to memory of 1932	1536	svchost.exe	WindowsInput.exe
PID 1536 wrote to memory of 1932	1536	svchost.exe	WindowsInput.exe
PID 1536 wrote to memory of 1932	1536	svchost.exe	WindowsInput.exe
PID 1536 wrote to memory of 984	1536	svchost.exe	svchost.exe
PID 1536 wrote to memory of 984	1536	svchost.exe	svchost.exe
PID 1536 wrote to memory of 984	1536	svchost.exe	svchost.exe
PID 1536 wrote to memory of 984	1536	svchost.exe	svchost.exe
PID 1928 wrote to memory of 544	1928	taskeng.exe	svchost.exe
PID 1928 wrote to memory of 544	1928	taskeng.exe	svchost.exe
PID 1928 wrote to memory of 544	1928	taskeng.exe	svchost.exe
PID 1928 wrote to memory of 544	1928	taskeng.exe	svchost.exe
PID 984 wrote to memory of 1464	984	svchost.exe	cmd.exe
PID 984 wrote to memory of 1464	984	svchost.exe	cmd.exe
PID 984 wrote to memory of 1464	984	svchost.exe	cmd.exe
PID 984 wrote to memory of 1464	984	svchost.exe	cmd.exe
PID 1464 wrote to memory of 1056	1464	cmd.exe	chcp.com
PID 1464 wrote to memory of 1056	1464	cmd.exe	chcp.com
PID 1464 wrote to memory of 1056	1464	cmd.exe	chcp.com
PID 1464 wrote to memory of 1056	1464	cmd.exe	chcp.com
PID 1464 wrote to memory of 1680	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 1680	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 1680	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 1680	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 960	1464	cmd.exe	findstr.exe
PID 1464 wrote to memory of 960	1464	cmd.exe	findstr.exe
PID 1464 wrote to memory of 960	1464	cmd.exe	findstr.exe
PID 1464 wrote to memory of 960	1464	cmd.exe	findstr.exe
PID 984 wrote to memory of 624	984	svchost.exe	cmd.exe
PID 984 wrote to memory of 624	984	svchost.exe	cmd.exe
PID 984 wrote to memory of 624	984	svchost.exe	cmd.exe
PID 984 wrote to memory of 624	984	svchost.exe	cmd.exe
PID 624 wrote to memory of 944	624	cmd.exe	chcp.com
PID 624 wrote to memory of 944	624	cmd.exe	chcp.com
PID 624 wrote to memory of 944	624	cmd.exe	chcp.com
PID 624 wrote to memory of 944	624	cmd.exe	chcp.com
PID 624 wrote to memory of 1408	624	cmd.exe	netsh.exe
PID 624 wrote to memory of 1408	624	cmd.exe	netsh.exe
PID 624 wrote to memory of 1408	624	cmd.exe	netsh.exe
PID 624 wrote to memory of 1408	624	cmd.exe	netsh.exe
PID 984 wrote to memory of 1744	984	svchost.exe	svchost.exe
PID 984 wrote to memory of 1744	984	svchost.exe	svchost.exe
PID 984 wrote to memory of 1744	984	svchost.exe	svchost.exe
PID 984 wrote to memory of 1744	984	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe
"C:\Users\Admin\AppData\Local\Temp\b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2kb2pe0l\2kb2pe0l.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB31.tmp" "c:\Users\Admin\AppData\Local\Temp\2kb2pe0l\CSC56DEA7DF79D7491FB6C810481C2E9410.TMP"
3⤵
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension "exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension "*.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932

C:\Program Files (x86)\svchost.exe
"C:\Program Files (x86)\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
4⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1056

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
5⤵
PID:1680

C:\Windows\SysWOW64\findstr.exe
findstr All
5⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
4⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:944

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:1408

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Program Files (x86)\svchost.exe" 984 /protectFile
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Program Files (x86)\svchost.exe" 984 "/protectFile"
5⤵
- Executes dropped EXE
PID:932

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:684

C:\Windows\system32\taskeng.exe
taskeng.exe {20AC082D-F8C2-4CC1-AB5E-0C1A346D5A30} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Program Files (x86)\svchost.exe
"C:\Program Files (x86)\svchost.exe"
2⤵
- Executes dropped EXE
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
C:\Program Files (x86)\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
C:\Program Files (x86)\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
C:\Program Files (x86)\svchost.exe.config
Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2kb2pe0l\2kb2pe0l.dll
Filesize
4KB

MD5
c8e48a0eaede2a5b44db94eaeecf983b

SHA1
a493decf95de2d6d6f50be0d6f5a39eaa1f981df

SHA256
cf3be9c0e11a20bc1d91b956811a56490040e1986b2eb9addd84c449e963605a

SHA512
bd9ee442abdbfab3c6193458a1685ffaf227769f1381e9a6a51130ad2ab78c344ea7d8314042bf271d73764e51ae9304346693e8d710eb924ce27ecc14a3bdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB31.tmp
Filesize
1KB

MD5
67a25863be31533814dbb86215eaa3f1

SHA1
6de4410b804a899c62a6ab04fb77b377e86fac78

SHA256
8328d4d86b2a39671cc7d3f9a91c98caf9affff20132510bb6c326ba652a1059

SHA512
4a0dd6d92625879f76dd21681f2ecf519638a8809b8c9f5b751c3dd0a962967c547b51964ee5952e345c6decfd8a9c03d2e4fa7385baea8efff0f9f4c21d5446

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
91fab968973b9b336d66939be818b0d0

SHA1
1867c8e540cd7c745506cab41ef249fb58a956e0

SHA256
d93685f9873fa09aefde493cfe2a112a0a133e503515ece41ed3a2a7c2540471

SHA512
04aee1a35a13a760886a3865be4d52b1be251a51b45ed241c3650ce80d1b6a9fa883f5b2faac8afac458c7cb239444ff353233c8cda0ab0f14105f2d971c8ae8

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
c95012f934b8bb6e1fb1bcb11cd9f2eb

SHA1
c6a565d220ff45730639cf5ec15a97a8ffa88dad

SHA256
e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

SHA512
bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
c95012f934b8bb6e1fb1bcb11cd9f2eb

SHA1
c6a565d220ff45730639cf5ec15a97a8ffa88dad

SHA256
e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

SHA512
bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
c95012f934b8bb6e1fb1bcb11cd9f2eb

SHA1
c6a565d220ff45730639cf5ec15a97a8ffa88dad

SHA256
e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

SHA512
bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe.config
Filesize
418B

MD5
47fb1af739ade4e938c8e6d2e504f4a4

SHA1
b5c2786f406614105e488ee500858fc09365170d

SHA256
552fc8db5bd09828e3d73ad68b737efc7f91980d860effd0c68f7d329cf20a92

SHA512
67eb6bade5cca517ef0ba29197548e1d3df45fbad8cf2e407dbb3927c09f3da5008783348716f77311d3e2528f473651c3c8f59bb6cbea31050e39ae5fd09297

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e1e29e723b9e1e50d31e316adab71499

SHA1
5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

SHA256
4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

SHA512
de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e1e29e723b9e1e50d31e316adab71499

SHA1
5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

SHA256
4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

SHA512
de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e1e29e723b9e1e50d31e316adab71499

SHA1
5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

SHA256
4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

SHA512
de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Windows\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
C:\Windows\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2kb2pe0l\2kb2pe0l.0.cs
Filesize
1KB

MD5
07f411bd855068d23c0c63161daa0c6b

SHA1
616ab321d31b0198bd5221fce6050fb83dd80991

SHA256
8b1a287ecdb7609fa638675e2c4641334f60b23569641701220aef4acad324bb

SHA512
48ff268231f8d7316b44e933554238eb39313502af19446fca0ef9005aa99e2c5543b1fda814de98298c6c6e3fe265b1f894a9808192d6e29abed50bb5c614e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2kb2pe0l\2kb2pe0l.cmdline
Filesize
204B

MD5
3dd0019551c2846274096d6bce26788b

SHA1
91afa276014b14d6c1a73bfd45597cfbe51a2d5e

SHA256
bf27da3a70c41eab2db7381161bd3dc799d1e06a8f636866b02fa3ccc3f32dfd

SHA512
f0e40bb2878a57f32e51568a8897abff259f4946afbc70a3591c9f1c9ec3b0d4820cb246329c10b8ad35e2a72a501c47d0ab038808f2a93c3ae67260d5fe55d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2kb2pe0l\CSC56DEA7DF79D7491FB6C810481C2E9410.TMP
Filesize
652B

MD5
2815d37e970221a21b2ea05096beae3c

SHA1
27089555aa116b8b13be0a5bfa55a05a95817b9a

SHA256
1615f5db4debbf756930a2cf33a11e38720ce64c0d2714da1781d261718b84b1

SHA512
1aa950828825ee624b1ccb914f2815c971dcffee06a18d6586e542d3bf1de280c033927b68a79ca17b23ee2bcc53660423eac43e294920041eead9f346014796

Download Submit
\Program Files (x86)\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
\Program Files (x86)\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
\Program Files (x86)\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
\Program Files (x86)\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
\Program Files (x86)\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
c95012f934b8bb6e1fb1bcb11cd9f2eb

SHA1
c6a565d220ff45730639cf5ec15a97a8ffa88dad

SHA256
e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

SHA512
bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

Download Submit
\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e1e29e723b9e1e50d31e316adab71499

SHA1
5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

SHA256
4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

SHA512
de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

Download Submit
memory/544-100-0x0000000000000000-mapping.dmp

Download
memory/624-108-0x0000000000000000-mapping.dmp

Download
memory/684-88-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/864-59-0x0000000000000000-mapping.dmp

Download
memory/932-124-0x0000000000000000-mapping.dmp

Download
memory/944-109-0x0000000000000000-mapping.dmp

Download
memory/960-106-0x0000000000000000-mapping.dmp

Download
memory/984-98-0x00000000007E0000-0x00000000007F8000-memory.dmp

Filesize
96KB

Download
memory/984-99-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/984-94-0x00000000008E0000-0x0000000000BE8000-memory.dmp

Filesize
3.0MB

Download
memory/984-114-0x0000000005880000-0x00000000058F8000-memory.dmp

Filesize
480KB

Download
memory/984-96-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/984-97-0x0000000002370000-0x00000000023BE000-memory.dmp

Filesize
312KB

Download
memory/984-90-0x0000000000000000-mapping.dmp

Download
memory/1056-104-0x0000000000000000-mapping.dmp

Download
memory/1192-56-0x0000000000000000-mapping.dmp

Download
memory/1280-71-0x0000000071660000-0x0000000071C0B000-memory.dmp

Filesize
5.7MB

Download
memory/1280-68-0x0000000000000000-mapping.dmp

Download
memory/1408-110-0x0000000000000000-mapping.dmp

Download
memory/1464-103-0x0000000000000000-mapping.dmp

Download
memory/1536-77-0x0000000000B20000-0x0000000000B7C000-memory.dmp

Filesize
368KB

Download
memory/1536-79-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/1536-76-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/1536-75-0x0000000000C70000-0x0000000000F78000-memory.dmp

Filesize
3.0MB

Download
memory/1536-72-0x0000000000000000-mapping.dmp

Download
memory/1536-80-0x0000000000B80000-0x0000000000B9E000-memory.dmp

Filesize
120KB

Download
memory/1680-105-0x0000000000000000-mapping.dmp

Download
memory/1720-67-0x00000000715E0000-0x0000000071B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-66-0x00000000715E0000-0x0000000071B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-64-0x0000000000000000-mapping.dmp

Download
memory/1744-118-0x0000000000000000-mapping.dmp

Download
memory/1744-123-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1784-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1784-63-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/1784-54-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/1932-82-0x0000000000000000-mapping.dmp

Download
memory/1932-86-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download