1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b

Analysis

max time kernel
95s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2.exe
Size

4.6MB
MD5

2afcac7aaede32980c96fda99c8c8677
SHA1

436e83ce6882e798e5bb6d89a31913285886d3a2
SHA256

1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b
SHA512

5ccba16f2b31f1271487729c6d502529fa329d56dc126f080481d567c37c7ed68760c808e7fb6559293c65cf9ea8deca67ba2670a42a806d7e158ce79a513907
SSDEEP

98304:DbcuGWyADhhIab1bvece79p6T215vhx8ovhqg4zi4RWouv60FFS7W:0dyhhIaZNeZy2Lb8Uf4G4EoE6t

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4744-133-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-134-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-135-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-136-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-139-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-140-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-142-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-145-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-158-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx
behavioral2/memory/4744-175-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
9	ipinfo.io
60	ipinfo.io
83	ipinfo.io
85	ipinfo.io

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5088	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2944	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	b2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b2.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe
4744	b2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2552	wmic.exe
Token: SeSecurityPrivilege	2552	wmic.exe
Token: SeTakeOwnershipPrivilege	2552	wmic.exe
Token: SeLoadDriverPrivilege	2552	wmic.exe
Token: SeSystemProfilePrivilege	2552	wmic.exe
Token: SeSystemtimePrivilege	2552	wmic.exe
Token: SeProfSingleProcessPrivilege	2552	wmic.exe
Token: SeIncBasePriorityPrivilege	2552	wmic.exe
Token: SeCreatePagefilePrivilege	2552	wmic.exe
Token: SeBackupPrivilege	2552	wmic.exe
Token: SeRestorePrivilege	2552	wmic.exe
Token: SeShutdownPrivilege	2552	wmic.exe
Token: SeDebugPrivilege	2552	wmic.exe
Token: SeSystemEnvironmentPrivilege	2552	wmic.exe
Token: SeRemoteShutdownPrivilege	2552	wmic.exe
Token: SeUndockPrivilege	2552	wmic.exe
Token: SeManageVolumePrivilege	2552	wmic.exe
Token: 33	2552	wmic.exe
Token: 34	2552	wmic.exe
Token: 35	2552	wmic.exe
Token: 36	2552	wmic.exe
Token: SeIncreaseQuotaPrivilege	2552	wmic.exe
Token: SeSecurityPrivilege	2552	wmic.exe
Token: SeTakeOwnershipPrivilege	2552	wmic.exe
Token: SeLoadDriverPrivilege	2552	wmic.exe
Token: SeSystemProfilePrivilege	2552	wmic.exe
Token: SeSystemtimePrivilege	2552	wmic.exe
Token: SeProfSingleProcessPrivilege	2552	wmic.exe
Token: SeIncBasePriorityPrivilege	2552	wmic.exe
Token: SeCreatePagefilePrivilege	2552	wmic.exe
Token: SeBackupPrivilege	2552	wmic.exe
Token: SeRestorePrivilege	2552	wmic.exe
Token: SeShutdownPrivilege	2552	wmic.exe
Token: SeDebugPrivilege	2552	wmic.exe
Token: SeSystemEnvironmentPrivilege	2552	wmic.exe
Token: SeRemoteShutdownPrivilege	2552	wmic.exe
Token: SeUndockPrivilege	2552	wmic.exe
Token: SeManageVolumePrivilege	2552	wmic.exe
Token: 33	2552	wmic.exe
Token: 34	2552	wmic.exe
Token: 35	2552	wmic.exe
Token: 36	2552	wmic.exe
Token: SeIncreaseQuotaPrivilege	4868	wmic.exe
Token: SeSecurityPrivilege	4868	wmic.exe
Token: SeTakeOwnershipPrivilege	4868	wmic.exe
Token: SeLoadDriverPrivilege	4868	wmic.exe
Token: SeSystemProfilePrivilege	4868	wmic.exe
Token: SeSystemtimePrivilege	4868	wmic.exe
Token: SeProfSingleProcessPrivilege	4868	wmic.exe
Token: SeIncBasePriorityPrivilege	4868	wmic.exe
Token: SeCreatePagefilePrivilege	4868	wmic.exe
Token: SeBackupPrivilege	4868	wmic.exe
Token: SeRestorePrivilege	4868	wmic.exe
Token: SeShutdownPrivilege	4868	wmic.exe
Token: SeDebugPrivilege	4868	wmic.exe
Token: SeSystemEnvironmentPrivilege	4868	wmic.exe
Token: SeRemoteShutdownPrivilege	4868	wmic.exe
Token: SeUndockPrivilege	4868	wmic.exe
Token: SeManageVolumePrivilege	4868	wmic.exe
Token: 33	4868	wmic.exe
Token: 34	4868	wmic.exe
Token: 35	4868	wmic.exe
Token: 36	4868	wmic.exe
Token: SeIncreaseQuotaPrivilege	4868	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3384	4744	b2.exe	85
PID 4744 wrote to memory of 3384	4744	b2.exe	85
PID 4744 wrote to memory of 3752	4744	b2.exe	86
PID 4744 wrote to memory of 3752	4744	b2.exe	86
PID 4744 wrote to memory of 228	4744	b2.exe	101
PID 4744 wrote to memory of 228	4744	b2.exe	101
PID 4744 wrote to memory of 4260	4744	b2.exe	102
PID 4744 wrote to memory of 4260	4744	b2.exe	102
PID 4744 wrote to memory of 1832	4744	b2.exe	103
PID 4744 wrote to memory of 1832	4744	b2.exe	103
PID 4744 wrote to memory of 4148	4744	b2.exe	104
PID 4744 wrote to memory of 4148	4744	b2.exe	104
PID 4744 wrote to memory of 660	4744	b2.exe	105
PID 4744 wrote to memory of 660	4744	b2.exe	105
PID 4744 wrote to memory of 2552	4744	b2.exe	107
PID 4744 wrote to memory of 2552	4744	b2.exe	107
PID 4744 wrote to memory of 4868	4744	b2.exe	108
PID 4744 wrote to memory of 4868	4744	b2.exe	108
PID 4744 wrote to memory of 4904	4744	b2.exe	109
PID 4744 wrote to memory of 4904	4744	b2.exe	109
PID 4904 wrote to memory of 4992	4904	cmd.exe	110
PID 4904 wrote to memory of 4992	4904	cmd.exe	110
PID 4992 wrote to memory of 4736	4992	net.exe	111
PID 4992 wrote to memory of 4736	4992	net.exe	111
PID 4744 wrote to memory of 5088	4744	b2.exe	112
PID 4744 wrote to memory of 5088	4744	b2.exe	112
PID 4744 wrote to memory of 4516	4744	b2.exe	115
PID 4744 wrote to memory of 4516	4744	b2.exe	115
PID 4744 wrote to memory of 4160	4744	b2.exe	116
PID 4744 wrote to memory of 4160	4744	b2.exe	116
PID 4744 wrote to memory of 2968	4744	b2.exe	117
PID 4744 wrote to memory of 2968	4744	b2.exe	117
PID 4744 wrote to memory of 3180	4744	b2.exe	118
PID 4744 wrote to memory of 3180	4744	b2.exe	118
PID 4744 wrote to memory of 3724	4744	b2.exe	119
PID 4744 wrote to memory of 3724	4744	b2.exe	119
PID 4744 wrote to memory of 2824	4744	b2.exe	120
PID 4744 wrote to memory of 2824	4744	b2.exe	120
PID 4744 wrote to memory of 4352	4744	b2.exe	121
PID 4744 wrote to memory of 4352	4744	b2.exe	121
PID 4744 wrote to memory of 988	4744	b2.exe	122
PID 4744 wrote to memory of 988	4744	b2.exe	122
PID 4744 wrote to memory of 3600	4744	b2.exe	123
PID 4744 wrote to memory of 3600	4744	b2.exe	123
PID 4744 wrote to memory of 3416	4744	b2.exe	124
PID 4744 wrote to memory of 3416	4744	b2.exe	124
PID 4744 wrote to memory of 1380	4744	b2.exe	125
PID 4744 wrote to memory of 1380	4744	b2.exe	125
PID 4744 wrote to memory of 3772	4744	b2.exe	126
PID 4744 wrote to memory of 3772	4744	b2.exe	126
PID 4744 wrote to memory of 5064	4744	b2.exe	127
PID 4744 wrote to memory of 5064	4744	b2.exe	127
PID 4744 wrote to memory of 4836	4744	b2.exe	128
PID 4744 wrote to memory of 4836	4744	b2.exe	128
PID 4744 wrote to memory of 324	4744	b2.exe	129
PID 4744 wrote to memory of 324	4744	b2.exe	129
PID 4744 wrote to memory of 4840	4744	b2.exe	130
PID 4744 wrote to memory of 4840	4744	b2.exe	130
PID 4744 wrote to memory of 3424	4744	b2.exe	131
PID 4744 wrote to memory of 3424	4744	b2.exe	131
PID 4744 wrote to memory of 656	4744	b2.exe	132
PID 4744 wrote to memory of 656	4744	b2.exe	132
PID 4744 wrote to memory of 4768	4744	b2.exe	133
PID 4744 wrote to memory of 4768	4744	b2.exe	133

C:\Users\Admin\AppData\Local\Temp\b2.exe
"C:\Users\Admin\AppData\Local\Temp\b2.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3384
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3752
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c
  2⤵
  PID:228
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4260
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1832
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4148
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:660
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\Wbem\wmic.exe
  wmic desktopmonitor get "screenheight, screenwidth"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\system32\cmd.exe
  cmd /C net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4736
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:5088
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4516
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4160
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2968
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3180
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3724
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2824
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4352
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:988
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3600
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3416
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1380
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3772
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:5064
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4836
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:324
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4840
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3424
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:656
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4768
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:888
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4548
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:696
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Telegram.exe
  2⤵
  - Kills process with taskkill
  PID:2944
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1532
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2124
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NL154.61.71.13\google-chrome_webdata.txt

Filesize
1KB

MD5
e5b49b454a367e311112efd3e17a25e0

SHA1
cb16cbb1a6f3fc64fff6795e676dd9ba40d9235a

SHA256
829fe37d84fc64e9e24f701db94ce3cbc62af2ca2b6591989eb83375cbb5699c

SHA512
de83fd72fdb016a922ab3ea805f70448ff060d98ea143bc8e62bd3da099b05ff220df3d5d27fb2bb7de25ee000a19307a4ac29e346fc1c60f0d57f1aec8286fc

Download Submit
memory/4744-133-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-134-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-135-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-136-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-139-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-140-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-142-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-145-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-158-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download
memory/4744-175-0x00007FF7B7BC0000-0x00007FF7B8A14000-memory.dmp

Filesize
14.3MB

Download