phobos | 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

Analysis

max time kernel
247s
max time network
302s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
Size

1.9MB
MD5

1b87684768db892932be3f0661c54251
SHA1

e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA256

65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA512

0fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
SSDEEP

24576:jx4Ul0rrIOGz9I6U7AeyGvHynlLghECQl4L529dktxtPCv1ri+J/ac//zWOYopmB:mUl0/2kHW8ECQl4wi+snopp2vQ

Score

10^/10

phobos rhadamanthys smokeloader backdoor collection ransomware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Signatures

Detect rhadamanthys stealer shellcode 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2684-20-0x0000000000B20000-0x0000000000F20000-memory.dmp	family_rhadamanthys
behavioral1/memory/2684-21-0x0000000000B20000-0x0000000000F20000-memory.dmp	family_rhadamanthys
behavioral1/memory/2684-22-0x0000000000B20000-0x0000000000F20000-memory.dmp	family_rhadamanthys
behavioral1/memory/2684-23-0x0000000000B20000-0x0000000000F20000-memory.dmp	family_rhadamanthys
behavioral1/memory/2684-24-0x0000000000B20000-0x0000000000F20000-memory.dmp	family_rhadamanthys
behavioral1/memory/2684-33-0x0000000000B20000-0x0000000000F20000-memory.dmp	family_rhadamanthys
behavioral1/memory/2684-34-0x0000000000B20000-0x0000000000F20000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe

description pid process target process

PID 2684 created 1260 2684 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe Explorer.EXE
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

2912 certreq.exe

description	pid	process	target process
PID 2684 created 1260	2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	Explorer.EXE

pid	process
2912	certreq.exe

Executes dropped EXE 16 IoCs

Processes:

4_[CT.exeB5K6m(8.exeB5K6m(8.exeB5K6m(8.exeB5K6m(8.exeB5K6m(8.exeB5K6m(8.exeB5K6m(8.exeB5K6m(8.exeB5K6m(8.exe4_[CT.exeB5K6m(8.exeB5K6m(8.exeC88D.exeC88D.exeCD4F.exe

pid	process
320	4_[CT.exe
1392	B5K6m(8.exe
1488	B5K6m(8.exe
2196	B5K6m(8.exe
2100	B5K6m(8.exe
1648	B5K6m(8.exe
1728	B5K6m(8.exe
1628	B5K6m(8.exe
1980	B5K6m(8.exe
2192	B5K6m(8.exe
1476	4_[CT.exe
2084	B5K6m(8.exe
1912	B5K6m(8.exe
2340	C88D.exe
2032	C88D.exe
1448	CD4F.exe

Loads dropped DLL 1 IoCs

Processes:

C88D.exe

pid process

2340 C88D.exe

pid	process
2340	C88D.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe4_[CT.exeC88D.exe

description	pid	process	target process
PID 2060 set thread context of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 320 set thread context of 1476	320	4_[CT.exe	4_[CT.exe
PID 2340 set thread context of 2032	2340	C88D.exe	C88D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4_[CT.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4_[CT.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4_[CT.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4_[CT.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exeSecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.execertreq.exeB5K6m(8.exe4_[CT.exeExplorer.EXE

pid	process
2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
2912	certreq.exe
2912	certreq.exe
2912	certreq.exe
2912	certreq.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1392	B5K6m(8.exe
1476	4_[CT.exe
1476	4_[CT.exe
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

4_[CT.exe

pid process

1476 4_[CT.exe

pid	process
1260	Explorer.EXE

pid	process
1476	4_[CT.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe4_[CT.exeB5K6m(8.exeC88D.exe

description	pid	process
Token: SeDebugPrivilege	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
Token: SeDebugPrivilege	320	4_[CT.exe
Token: SeDebugPrivilege	1392	B5K6m(8.exe
Token: SeDebugPrivilege	2340	C88D.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exeSecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe4_[CT.exeB5K6m(8.exeExplorer.EXE

description	pid	process	target process
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2060 wrote to memory of 2684	2060	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2684 wrote to memory of 2912	2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 2684 wrote to memory of 2912	2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 2684 wrote to memory of 2912	2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 2684 wrote to memory of 2912	2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 2684 wrote to memory of 2912	2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 2684 wrote to memory of 2912	2684	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 320 wrote to memory of 1476	320	4_[CT.exe	4_[CT.exe
PID 320 wrote to memory of 1476	320	4_[CT.exe	4_[CT.exe
PID 320 wrote to memory of 1476	320	4_[CT.exe	4_[CT.exe
PID 320 wrote to memory of 1476	320	4_[CT.exe	4_[CT.exe
PID 1392 wrote to memory of 1488	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1488	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1488	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1488	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2196	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2196	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2196	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2196	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2100	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2100	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2100	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2100	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1648	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1648	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1648	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1648	1392	B5K6m(8.exe	B5K6m(8.exe
PID 320 wrote to memory of 1476	320	4_[CT.exe	4_[CT.exe
PID 1392 wrote to memory of 1728	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1728	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1728	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1728	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1628	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1628	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1628	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1628	1392	B5K6m(8.exe	B5K6m(8.exe
PID 320 wrote to memory of 1476	320	4_[CT.exe	4_[CT.exe
PID 1392 wrote to memory of 1980	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1980	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1980	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1980	1392	B5K6m(8.exe	B5K6m(8.exe
PID 320 wrote to memory of 1476	320	4_[CT.exe	4_[CT.exe
PID 1392 wrote to memory of 2192	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2192	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2192	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2192	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2084	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2084	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2084	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 2084	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1912	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1912	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1912	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1392 wrote to memory of 1912	1392	B5K6m(8.exe	B5K6m(8.exe
PID 1260 wrote to memory of 2340	1260	Explorer.EXE	C88D.exe
PID 1260 wrote to memory of 2340	1260	Explorer.EXE	C88D.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2912

C:\Users\Admin\AppData\Local\Temp\C88D.exe
C:\Users\Admin\AppData\Local\Temp\C88D.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Users\Admin\AppData\Local\Temp\C88D.exe
C:\Users\Admin\AppData\Local\Temp\C88D.exe
3⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Local\Temp\CD4F.exe
C:\Users\Admin\AppData\Local\Temp\CD4F.exe
2⤵
- Executes dropped EXE
PID:1448

C:\Users\Admin\AppData\Local\Microsoft\4_[CT.exe
"C:\Users\Admin\AppData\Local\Microsoft\4_[CT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Microsoft\4_[CT.exe
C:\Users\Admin\AppData\Local\Microsoft\4_[CT.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1476

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
"C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:2196

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:2084

C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe
2⤵
- Executes dropped EXE
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\4_[CT.exe

Filesize
535KB

MD5
ecfe62777946dfed18d22fc8b2015a37

SHA1
ec602fc687056f285587b1182fa9777bbf50ab63

SHA256
4911e4611c08d1a54bbe1a3a7d8d801e468968825ed639ed22880fc7e1b0ae7a

SHA512
05657c0add30a2616042f87c0ea91d7faedf69b4e9bd9ff693bc7a1f854c8ab09a423d19ff165dfa9208e14bbfa2dbf7f468f3fce970d6aaa3cfa9fc76b0374b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\4_[CT.exe

Filesize
535KB

MD5
ecfe62777946dfed18d22fc8b2015a37

SHA1
ec602fc687056f285587b1182fa9777bbf50ab63

SHA256
4911e4611c08d1a54bbe1a3a7d8d801e468968825ed639ed22880fc7e1b0ae7a

SHA512
05657c0add30a2616042f87c0ea91d7faedf69b4e9bd9ff693bc7a1f854c8ab09a423d19ff165dfa9208e14bbfa2dbf7f468f3fce970d6aaa3cfa9fc76b0374b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\4_[CT.exe

Filesize
535KB

MD5
ecfe62777946dfed18d22fc8b2015a37

SHA1
ec602fc687056f285587b1182fa9777bbf50ab63

SHA256
4911e4611c08d1a54bbe1a3a7d8d801e468968825ed639ed22880fc7e1b0ae7a

SHA512
05657c0add30a2616042f87c0ea91d7faedf69b4e9bd9ff693bc7a1f854c8ab09a423d19ff165dfa9208e14bbfa2dbf7f468f3fce970d6aaa3cfa9fc76b0374b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B5K6m(8.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\C88D.exe

Filesize
549KB

MD5
556b70c5d3d1c8c74d6cdfd488f8e11a

SHA1
398cacfab01691b313d9581f8f74b0f5d8fda360

SHA256
a8d2d0ceaaf6685644b228a767ea6299ea2968f7cae79dd36abf4225b8593fdd

SHA512
ef95bb417023f03037266324cf069987f2153f9e8e5c188cfd129de0d7a752989daf7c9208d58d29e2686e7c56e4198196faccd823c1d75831bf980b5f183fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\C88D.exe

Filesize
549KB

MD5
556b70c5d3d1c8c74d6cdfd488f8e11a

SHA1
398cacfab01691b313d9581f8f74b0f5d8fda360

SHA256
a8d2d0ceaaf6685644b228a767ea6299ea2968f7cae79dd36abf4225b8593fdd

SHA512
ef95bb417023f03037266324cf069987f2153f9e8e5c188cfd129de0d7a752989daf7c9208d58d29e2686e7c56e4198196faccd823c1d75831bf980b5f183fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\C88D.exe

Filesize
549KB

MD5
556b70c5d3d1c8c74d6cdfd488f8e11a

SHA1
398cacfab01691b313d9581f8f74b0f5d8fda360

SHA256
a8d2d0ceaaf6685644b228a767ea6299ea2968f7cae79dd36abf4225b8593fdd

SHA512
ef95bb417023f03037266324cf069987f2153f9e8e5c188cfd129de0d7a752989daf7c9208d58d29e2686e7c56e4198196faccd823c1d75831bf980b5f183fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD4F.exe

Filesize
468KB

MD5
20bb118569b859e64feaaf30227e04b8

SHA1
3fb2c608529575ad4b06770e130eb9d2d0750ed7

SHA256
c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674

SHA512
567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

Download Submit
\Users\Admin\AppData\Local\Temp\C88D.exe

Filesize
549KB

MD5
556b70c5d3d1c8c74d6cdfd488f8e11a

SHA1
398cacfab01691b313d9581f8f74b0f5d8fda360

SHA256
a8d2d0ceaaf6685644b228a767ea6299ea2968f7cae79dd36abf4225b8593fdd

SHA512
ef95bb417023f03037266324cf069987f2153f9e8e5c188cfd129de0d7a752989daf7c9208d58d29e2686e7c56e4198196faccd823c1d75831bf980b5f183fed

Download Submit
memory/320-70-0x0000000000930000-0x0000000000962000-memory.dmp

Filesize
200KB

Download
memory/320-90-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/320-67-0x00000000046B0000-0x00000000046F0000-memory.dmp

Filesize
256KB

Download
memory/320-63-0x0000000000590000-0x00000000005D4000-memory.dmp

Filesize
272KB

Download
memory/320-58-0x0000000000370000-0x00000000003FC000-memory.dmp

Filesize
560KB

Download
memory/320-59-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1260-94-0x00000000029C0000-0x00000000029D6000-memory.dmp

Filesize
88KB

Download
memory/1392-93-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1392-69-0x0000000000AE0000-0x0000000000B0C000-memory.dmp

Filesize
176KB

Download
memory/1392-68-0x0000000000F30000-0x0000000000F70000-memory.dmp

Filesize
256KB

Download
memory/1392-65-0x0000000000940000-0x000000000097E000-memory.dmp

Filesize
248KB

Download
memory/1392-66-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1392-64-0x0000000000FC0000-0x0000000001000000-memory.dmp

Filesize
256KB

Download
memory/1476-71-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1476-95-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1476-84-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1476-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1476-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1476-76-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2032-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2032-118-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-117-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-127-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-120-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-115-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-116-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-128-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-123-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-119-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2060-4-0x0000000000B00000-0x0000000000B68000-memory.dmp

Filesize
416KB

Download
memory/2060-17-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-0-0x00000000011B0000-0x0000000001396000-memory.dmp

Filesize
1.9MB

Download
memory/2060-2-0x0000000000CC0000-0x0000000000D38000-memory.dmp

Filesize
480KB

Download
memory/2060-1-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-3-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download
memory/2060-5-0x0000000000720000-0x000000000076C000-memory.dmp

Filesize
304KB

Download
memory/2340-112-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2340-109-0x0000000000ED0000-0x0000000000F60000-memory.dmp

Filesize
576KB

Download
memory/2340-111-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-110-0x0000000000BC0000-0x0000000000C06000-memory.dmp

Filesize
280KB

Download
memory/2340-113-0x0000000000D00000-0x0000000000D34000-memory.dmp

Filesize
208KB

Download
memory/2340-126-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-34-0x0000000000B20000-0x0000000000F20000-memory.dmp

Filesize
4.0MB

Download
memory/2684-32-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2684-33-0x0000000000B20000-0x0000000000F20000-memory.dmp

Filesize
4.0MB

Download
memory/2684-26-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2684-24-0x0000000000B20000-0x0000000000F20000-memory.dmp

Filesize
4.0MB

Download
memory/2684-23-0x0000000000B20000-0x0000000000F20000-memory.dmp

Filesize
4.0MB

Download
memory/2684-22-0x0000000000B20000-0x0000000000F20000-memory.dmp

Filesize
4.0MB

Download
memory/2684-21-0x0000000000B20000-0x0000000000F20000-memory.dmp

Filesize
4.0MB

Download
memory/2684-20-0x0000000000B20000-0x0000000000F20000-memory.dmp

Filesize
4.0MB

Download
memory/2684-19-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/2684-18-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2684-15-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2684-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2684-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-9-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2684-8-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2684-6-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2912-35-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/2912-92-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/2912-91-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2912-55-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/2912-54-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-47-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/2912-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-37-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2912-36-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2912-25-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download