fabookie | 210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe
Size

2.8MB
MD5

e4af1c73101f2ab9f89d04a11986c58a
SHA1

a6711c9fffe5f192d9e01445ad261ef74b601cfc
SHA256

210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea
SHA512

7f7da803b90d7c2948421e4106edac91899d109adc19c6f264e899ba726e349609bbfdab5051dafcba255becbc3f418fcb0eca2e199f562f51105231c71cfb07
SSDEEP

49152:xcB7EwJ84vLRaBtIl9mVUycpVTI1+ZjnN4zXH9kGhTeUUP07If+cgDU8e:xRCvLUBsgKxI1wjAXZaUUPEIf+fU8e

Score

10^/10

fabookie nullmixer privateloader vidar 706 aspackv2 dropper loader spyware stealer

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019371-70.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/memory/1476-95-0x00000000002E0000-0x000000000037D000-memory.dmp	family_vidar
behavioral1/memory/1476-130-0x0000000000400000-0x0000000001DDD000-memory.dmp	family_vidar
behavioral1/memory/1476-261-0x0000000000400000-0x0000000001DDD000-memory.dmp	family_vidar
behavioral1/memory/1476-271-0x00000000002E0000-0x000000000037D000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0021000000015e94-39.dat	aspack_v212_v242
behavioral1/files/0x000a00000001225e-41.dat	aspack_v212_v242
behavioral1/files/0x00070000000165c9-46.dat	aspack_v212_v242

Executes dropped EXE 9 IoCs

pid	Process
2664	setup_install.exe
2460	Mon11683f2e7644c1b4f.exe
1344	Mon1191c1dd6b4bf8a8.exe
772	Mon117bbc055965aa.exe
1476	Mon11f31841cdad6d9.exe
1756	Mon114a960f05f64d8.exe
1748	Mon11da3a74a605c9d5d.exe
2648	Mon11abd984387abd.exe
1916	Mon114a960f05f64d8.tmp

Loads dropped DLL 42 IoCs

pid	Process
2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe
2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe
2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe
2664	setup_install.exe
2664	setup_install.exe
2664	setup_install.exe
2664	setup_install.exe
2664	setup_install.exe
2664	setup_install.exe
2664	setup_install.exe
2664	setup_install.exe
2212	cmd.exe
2680	cmd.exe
2460	Mon11683f2e7644c1b4f.exe
2460	Mon11683f2e7644c1b4f.exe
3024	cmd.exe
2556	cmd.exe
2556	cmd.exe
1476	Mon11f31841cdad6d9.exe
1476	Mon11f31841cdad6d9.exe
2580	cmd.exe
2624	cmd.exe
1756	Mon114a960f05f64d8.exe
1756	Mon114a960f05f64d8.exe
2612	cmd.exe
2648	Mon11abd984387abd.exe
2648	Mon11abd984387abd.exe
1756	Mon114a960f05f64d8.exe
1916	Mon114a960f05f64d8.tmp
1916	Mon114a960f05f64d8.tmp
1916	Mon114a960f05f64d8.tmp
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2744	2664	WerFault.exe	28
1988	1476	WerFault.exe	39

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Mon11f31841cdad6d9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon11f31841cdad6d9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon11f31841cdad6d9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2192	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	Mon117bbc055965aa.exe
Token: SeDebugPrivilege	1344	Mon1191c1dd6b4bf8a8.exe
Token: SeDebugPrivilege	2192	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2664	2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe	28
PID 2528 wrote to memory of 2664	2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe	28
PID 2528 wrote to memory of 2664	2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe	28
PID 2528 wrote to memory of 2664	2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe	28
PID 2528 wrote to memory of 2664	2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe	28
PID 2528 wrote to memory of 2664	2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe	28
PID 2528 wrote to memory of 2664	2528	210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe	28
PID 2664 wrote to memory of 2672	2664	setup_install.exe	30
PID 2664 wrote to memory of 2672	2664	setup_install.exe	30
PID 2664 wrote to memory of 2672	2664	setup_install.exe	30
PID 2664 wrote to memory of 2672	2664	setup_install.exe	30
PID 2664 wrote to memory of 2672	2664	setup_install.exe	30
PID 2664 wrote to memory of 2672	2664	setup_install.exe	30
PID 2664 wrote to memory of 2672	2664	setup_install.exe	30
PID 2664 wrote to memory of 2212	2664	setup_install.exe	34
PID 2664 wrote to memory of 2212	2664	setup_install.exe	34
PID 2664 wrote to memory of 2212	2664	setup_install.exe	34
PID 2664 wrote to memory of 2212	2664	setup_install.exe	34
PID 2664 wrote to memory of 2212	2664	setup_install.exe	34
PID 2664 wrote to memory of 2212	2664	setup_install.exe	34
PID 2664 wrote to memory of 2212	2664	setup_install.exe	34
PID 2664 wrote to memory of 2556	2664	setup_install.exe	33
PID 2664 wrote to memory of 2556	2664	setup_install.exe	33
PID 2664 wrote to memory of 2556	2664	setup_install.exe	33
PID 2664 wrote to memory of 2556	2664	setup_install.exe	33
PID 2664 wrote to memory of 2556	2664	setup_install.exe	33
PID 2664 wrote to memory of 2556	2664	setup_install.exe	33
PID 2664 wrote to memory of 2556	2664	setup_install.exe	33
PID 2664 wrote to memory of 2580	2664	setup_install.exe	32
PID 2664 wrote to memory of 2580	2664	setup_install.exe	32
PID 2664 wrote to memory of 2580	2664	setup_install.exe	32
PID 2664 wrote to memory of 2580	2664	setup_install.exe	32
PID 2664 wrote to memory of 2580	2664	setup_install.exe	32
PID 2664 wrote to memory of 2580	2664	setup_install.exe	32
PID 2664 wrote to memory of 2580	2664	setup_install.exe	32
PID 2664 wrote to memory of 2624	2664	setup_install.exe	31
PID 2664 wrote to memory of 2624	2664	setup_install.exe	31
PID 2664 wrote to memory of 2624	2664	setup_install.exe	31
PID 2664 wrote to memory of 2624	2664	setup_install.exe	31
PID 2664 wrote to memory of 2624	2664	setup_install.exe	31
PID 2664 wrote to memory of 2624	2664	setup_install.exe	31
PID 2664 wrote to memory of 2624	2664	setup_install.exe	31
PID 2664 wrote to memory of 2680	2664	setup_install.exe	45
PID 2664 wrote to memory of 2680	2664	setup_install.exe	45
PID 2664 wrote to memory of 2680	2664	setup_install.exe	45
PID 2664 wrote to memory of 2680	2664	setup_install.exe	45
PID 2664 wrote to memory of 2680	2664	setup_install.exe	45
PID 2664 wrote to memory of 2680	2664	setup_install.exe	45
PID 2664 wrote to memory of 2680	2664	setup_install.exe	45
PID 2664 wrote to memory of 3024	2664	setup_install.exe	44
PID 2664 wrote to memory of 3024	2664	setup_install.exe	44
PID 2664 wrote to memory of 3024	2664	setup_install.exe	44
PID 2664 wrote to memory of 3024	2664	setup_install.exe	44
PID 2664 wrote to memory of 3024	2664	setup_install.exe	44
PID 2664 wrote to memory of 3024	2664	setup_install.exe	44
PID 2664 wrote to memory of 3024	2664	setup_install.exe	44
PID 2664 wrote to memory of 2612	2664	setup_install.exe	36
PID 2664 wrote to memory of 2612	2664	setup_install.exe	36
PID 2664 wrote to memory of 2612	2664	setup_install.exe	36
PID 2664 wrote to memory of 2612	2664	setup_install.exe	36
PID 2664 wrote to memory of 2612	2664	setup_install.exe	36
PID 2664 wrote to memory of 2612	2664	setup_install.exe	36
PID 2664 wrote to memory of 2612	2664	setup_install.exe	36
PID 2212 wrote to memory of 2460	2212	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe
"C:\Users\Admin\AppData\Local\Temp\210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11da3a74a605c9d5d.exe
    3⤵
    - Loads dropped DLL
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11da3a74a605c9d5d.exe
      Mon11da3a74a605c9d5d.exe
      4⤵
      Executes dropped EXE
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon114a960f05f64d8.exe
    3⤵
    - Loads dropped DLL
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon114a960f05f64d8.exe
      Mon114a960f05f64d8.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\is-H4E00.tmp\Mon114a960f05f64d8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H4E00.tmp\Mon114a960f05f64d8.tmp" /SL5="$50158,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon114a960f05f64d8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11f31841cdad6d9.exe
    3⤵
    - Loads dropped DLL
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11f31841cdad6d9.exe
      Mon11f31841cdad6d9.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:1476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 956
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11683f2e7644c1b4f.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11683f2e7644c1b4f.exe
      Mon11683f2e7644c1b4f.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11abd984387abd.exe
    3⤵
    - Loads dropped DLL
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11abd984387abd.exe
      Mon11abd984387abd.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1191c1dd6b4bf8a8.exe
    3⤵
    - Loads dropped DLL
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon117bbc055965aa.exe
    3⤵
    - Loads dropped DLL
    PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 420
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2744

C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon1191c1dd6b4bf8a8.exe
Mon1191c1dd6b4bf8a8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon117bbc055965aa.exe
Mon117bbc055965aa.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a6db9a457bff9b6e6264b0059296b40

SHA1
8e2e8c75fed2848c6469993b4111aa516e6198c8

SHA256
624ec6b2174a4a9784348032e8dc7cf27cc850c2f2f6572eb1fabae2155d1212

SHA512
b63e2ab87c4289d97a514ec7e1ec6eaaa03e23c632bf19e0a32fa52e917c83e83df082e36a6df7bd304228269a48159680c44c1248fc529210607edfbb5ddb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon114a960f05f64d8.exe

Filesize
757KB

MD5
8887a710e57cf4b3fe841116e9a0dfdd

SHA1
8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4

SHA256
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4

SHA512
1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11683f2e7644c1b4f.exe

Filesize
100KB

MD5
6a74bd82aebb649898a4286409371cc2

SHA1
be1ba3f918438d643da499c25bfb5bdeb77dd2e2

SHA256
f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a

SHA512
62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon117bbc055965aa.exe

Filesize
64KB

MD5
77c6ce12fbd92d5ab9e078d31df8d085

SHA1
f62a3d68c43ca0afde3ba15bf258f1eb4557d2ff

SHA256
19243eb6c26034ac8fb660b83a66578828aaa2461439507c6ed9bfc7310001f0

SHA512
7f83100c7df7f3fb7f06611ea4f6e94a1c61d5a784ae3123e7a2ff5449edebf2765ac6e176a44fe5aa1470cff517f7cda6bf9cea989f8e5514a3e781c99f826e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon1191c1dd6b4bf8a8.exe

Filesize
8KB

MD5
aba80c623dd45ad9f26e1474cece96af

SHA1
462562d51999490104300abd8999d25c03f359c7

SHA256
9f49d2110ce857ad6bc5a59870ee37d02651dd381820320827a7477082836f3e

SHA512
3405ee4980bea01dc30c1dfc5fc407dc6a1ded64948a1436e3436424bd317d1550e861bc2f927009ebfae3b38280670c60c59203ab7ca12372955fcdf2826048

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11abd984387abd.exe

Filesize
128KB

MD5
204973c82a450d939d8e392b66122d4c

SHA1
c10a4236a8bb789372e57e684e7f888544a119cc

SHA256
71d760b6e71106718912140db74d073e3b5b35366afdd57efc9026b245053313

SHA512
e685dd70374258941bd5222d83bb650c00aeb1e4a245f1bea837c407a5b3306512484fbb39445cb39afb551b18225adf1caa0aea8ee18864b39f82b2b629051d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11da3a74a605c9d5d.exe

Filesize
1.3MB

MD5
e113dae909b8fe86578d8558326d626b

SHA1
28d21842fce5df5dee1704eb4c28388c44860a53

SHA256
6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11

SHA512
d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11f31841cdad6d9.exe

Filesize
574KB

MD5
4db799818a40d57fb95bc7b306284bcf

SHA1
d2f17669d9ae9c0fffc8b9266664b17be57bbeb8

SHA256
f0db6ac793fee030c32fcfe5cc69f4ba44d841c9adadf9e769b868fea00306bc

SHA512
ad1db60bb49c388cff54e4d66c8f02f895510eef4b198dd1078996119c7a865cd995e6392e472cfce9867634f93aaee38fb285acb6a87d6aaf293c80884d48c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E98D596\setup_install.exe

Filesize
1.4MB

MD5
4c289af760f9903eaea7a2ffc6fdd31c

SHA1
09e52dbedb1b614854bc546ff453746c75a338b2

SHA256
9fd19a3b761212a0a5af40dbf43f2c0dcdd9a13249caf58d7d7b175e29715f2c

SHA512
a17da03808dfa38531f0bd8ffb767f4918116b7ea077afdad6731cdca209affa9106d8f3fdad1263b24432e6e8f7ed40c30a322d712c2820bb59c3910628382c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB06B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB2CE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11683f2e7644c1b4f.exe

Filesize
64KB

MD5
8b5768667f6098d8593e302cb7835618

SHA1
3ebc201c02bae5fc5b3d0694bdf8c2bf58922b92

SHA256
310d55022152140a512f4b841b62606cea7cd27aae69949f22b35f77b0906a55

SHA512
46f85a1c736e1189f177a88cf99fd93fa2d9e7f740d5e431363fcc61ad1b60658ed674b97c64b2fef75c13d2583a694f3b3a0d5fb52ffb1b55cd3dba31dab8a3

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon117bbc055965aa.exe

Filesize
140KB

MD5
10f81965cd2d2cdffd77f4d78c4883ed

SHA1
a5cefe02b5f09e5d2aaf16d2e39adaafdea41470

SHA256
b665244ba275605a13645e5bbe7d645c61a620bd1e2f145b0490171595a956f3

SHA512
657a9bed3dc639caf2171352343d64e2ac8824f6a17a98da702e3cddc53e1028e12e2b8a3813c3687667314e5c353d0b9ef042313eda7076203dd09bcc7ff8fe

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E98D596\Mon11abd984387abd.exe

Filesize
1.0MB

MD5
b0f998e526aa724a696ccb2a75ff4f59

SHA1
c1aa720cc06c07acc8141fab84cdb8f9566c0994

SHA256
05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898

SHA512
ea7388083b8f4ef886d04d79a862ad1d6f9ecb94af1267a9ae0932dbc10ef1046b8e235972eab2a4741df52981094a81329f107e6e44adebdf9e95d7c778d55b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E98D596\setup_install.exe

Filesize
384KB

MD5
247db53051cf9c04ba6c990fd38e407e

SHA1
e8d035a446a9164a3a38878c48bb01f0a1994937

SHA256
63cf7f14b51c5ce7e62c9bbc137d16d8e18df1ad9d232df4323b87dc266ffa42

SHA512
1b7cae5b2272fa3ad02113503d74bed19d55b04215a79fd0e086edbd2c3e3149912546e796f4206c21dbfb6c1c3076c7d07d3aedddc40d493dad5424a89c9f83

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E98D596\setup_install.exe

Filesize
2.1MB

MD5
ccf31f5e384cb7a73b6b9d3c5d0b1267

SHA1
08b3d51e11e1982f673a9943fdac3a8d0bc833bd

SHA256
7296e3255eba55ebc9fdca7984bec4f658724df5972864c4898066fa181f77bd

SHA512
b35450cd717259f7afd7529acb0652541b979f720b6e1c5e5e457bea120a7e5968c213020097ef9609e56e1034e4a27c8622b4fe7e4a19283aaa87034ce85564

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E98D596\setup_install.exe

Filesize
1.9MB

MD5
9ee15c5c019d26f376d4e6d4b630ae3d

SHA1
57e77e20a8d05616825b77638febd92f8ef9939a

SHA256
bd388c5a08262036a907e8be249a5ce34b82d0296b466d6b88fa42364776e37f

SHA512
edae073d8aea3a71e78895810af080b5927537b1b013eab2d9f3204d0197fbfa8e5c19dd4a5538f0996b757dd42bdd3c57a39c32c148efeaf137ecde60e82b91

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E98D596\setup_install.exe

Filesize
2.0MB

MD5
ea5b8320cf7cac0af1f1ec3c5126e54a

SHA1
f862a6234dc57b06c9be3bdef40915fc01637964

SHA256
172fea801294e7241e9d3784b79f51f0463ef8e4be45d706e88af814225ec2cd

SHA512
c829de25fc321cb2b822e1f4906bb1862f33c041839add8671000900eb5c49253e1d32f2c56399f6c1a1606a6b5580fd9588d6653d11d93793eb1e579dd4907b

Download Submit
\Users\Admin\AppData\Local\Temp\is-8QEM0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8QEM0.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-H4E00.tmp\Mon114a960f05f64d8.tmp

Filesize
1.0MB

MD5
090544331456bfb5de954f30519826f0

SHA1
8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4

SHA256
b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047

SHA512
03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

Download Submit
memory/772-122-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/772-269-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/772-127-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/772-142-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/772-104-0x0000000000120000-0x000000000014C000-memory.dmp

Filesize
176KB

Download
memory/1344-102-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/1344-279-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-143-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/1344-144-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-95-0x00000000002E0000-0x000000000037D000-memory.dmp

Filesize
628KB

Download
memory/1476-92-0x0000000001E80000-0x0000000001F80000-memory.dmp

Filesize
1024KB

Download
memory/1476-271-0x00000000002E0000-0x000000000037D000-memory.dmp

Filesize
628KB

Download
memory/1476-270-0x0000000001E80000-0x0000000001F80000-memory.dmp

Filesize
1024KB

Download
memory/1476-261-0x0000000000400000-0x0000000001DDD000-memory.dmp

Filesize
25.9MB

Download
memory/1476-130-0x0000000000400000-0x0000000001DDD000-memory.dmp

Filesize
25.9MB

Download
memory/1756-129-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1756-100-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1916-126-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2192-145-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/2192-260-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2192-131-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2664-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2664-201-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2664-56-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2664-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2664-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2664-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2664-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2664-189-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2664-200-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2664-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2664-192-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2664-191-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2664-190-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2664-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2664-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2664-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2664-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2664-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2664-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download