Analysis
-
max time kernel
599s -
max time network
594s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 01:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://filebin.net/717pd34p8cwpw3av/Remittance_Advice_18_February_2024_Details_766717.pif
Resource
win10v2004-20231222-en
General
-
Target
https://filebin.net/717pd34p8cwpw3av/Remittance_Advice_18_February_2024_Details_766717.pif
Malware Config
Extracted
warzonerat
sgh2024.ddns.net:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 12 IoCs
resource yara_rule behavioral1/memory/2716-130-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2716-134-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2716-136-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2716-141-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2244-148-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2244-149-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2244-151-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2244-153-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2244-156-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/1588-168-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/1588-169-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2244-201-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 1828 Remittance_Advice_18_February_2024_Details_766717 (1).pif 5020 Remittance_Advice_18_February_2024_Details_766717 (1).pif 2716 Remittance_Advice_18_February_2024_Details_766717 (1).pif 2104 IntelDrivers.exe 2244 Remittance_Advice_18_February_2024_Details_766717 (1).pif 1588 IntelDrivers.exe -
Loads dropped DLL 6 IoCs
pid Process 2244 Remittance_Advice_18_February_2024_Details_766717 (1).pif 2244 Remittance_Advice_18_February_2024_Details_766717 (1).pif 2244 Remittance_Advice_18_February_2024_Details_766717 (1).pif 2244 Remittance_Advice_18_February_2024_Details_766717 (1).pif 2244 Remittance_Advice_18_February_2024_Details_766717 (1).pif 2244 Remittance_Advice_18_February_2024_Details_766717 (1).pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance_Advice_18_February_2024_Details_766717 (1).pif Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance_Advice_18_February_2024_Details_766717 (1).pif -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Drivers = "C:\\Users\\Admin\\Documents\\IntelDrivers.exe" Remittance_Advice_18_February_2024_Details_766717 (1).pif -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1828 set thread context of 2716 1828 Remittance_Advice_18_February_2024_Details_766717 (1).pif 110 PID 5020 set thread context of 2244 5020 Remittance_Advice_18_February_2024_Details_766717 (1).pif 112 PID 2104 set thread context of 1588 2104 IntelDrivers.exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133527800640447429" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3364 chrome.exe 3364 chrome.exe 528 chrome.exe 528 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3364 chrome.exe 3364 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe Token: SeShutdownPrivilege 3364 chrome.exe Token: SeCreatePagefilePrivilege 3364 chrome.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe 3364 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2244 Remittance_Advice_18_February_2024_Details_766717 (1).pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3364 wrote to memory of 5084 3364 chrome.exe 85 PID 3364 wrote to memory of 5084 3364 chrome.exe 85 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 3116 3364 chrome.exe 87 PID 3364 wrote to memory of 1180 3364 chrome.exe 88 PID 3364 wrote to memory of 1180 3364 chrome.exe 88 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 PID 3364 wrote to memory of 1564 3364 chrome.exe 89 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance_Advice_18_February_2024_Details_766717 (1).pif -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance_Advice_18_February_2024_Details_766717 (1).pif
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://filebin.net/717pd34p8cwpw3av/Remittance_Advice_18_February_2024_Details_766717.pif1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff870129758,0x7ff870129768,0x7ff8701297782⤵PID:5084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:22⤵PID:3116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:82⤵PID:1180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:82⤵PID:1564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:12⤵PID:3408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:12⤵PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:82⤵PID:1824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:82⤵PID:4968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:82⤵PID:2172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1632 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:82⤵PID:3356
-
-
C:\Users\Admin\Downloads\Remittance_Advice_18_February_2024_Details_766717 (1).pif"C:\Users\Admin\Downloads\Remittance_Advice_18_February_2024_Details_766717 (1).pif"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1828 -
C:\Users\Admin\Downloads\Remittance_Advice_18_February_2024_Details_766717 (1).pif"C:\Users\Admin\Downloads\Remittance_Advice_18_February_2024_Details_766717 (1).pif"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2716 -
C:\Users\Admin\Documents\IntelDrivers.exe"C:\Users\Admin\Documents\IntelDrivers.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2104 -
C:\Users\Admin\Documents\IntelDrivers.exe"C:\Users\Admin\Documents\IntelDrivers.exe"5⤵
- Executes dropped EXE
PID:1588
-
-
-
-
-
C:\Users\Admin\Downloads\Remittance_Advice_18_February_2024_Details_766717 (1).pif"C:\Users\Admin\Downloads\Remittance_Advice_18_February_2024_Details_766717 (1).pif"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5020 -
C:\Users\Admin\Downloads\Remittance_Advice_18_February_2024_Details_766717 (1).pif"C:\Users\Admin\Downloads\Remittance_Advice_18_February_2024_Details_766717 (1).pif"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2244
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1736 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:82⤵PID:2512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4920 --field-trial-handle=1852,i,13957597647678622830,17812648650578433082,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:528
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3400
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
824B
MD53e82cef35743d19670a9613c75e115bc
SHA1ed9e3810b037af17ea05da535f72e95442368038
SHA2561bd93a5059a0138f7a24c01fbe490681f43b14ab9fe1c7ac562ac1ef51003f02
SHA51265f49039e441437554e57f2ce04def1955024878d99424ecb702427ad602de2ba50c41fd448b39d23eeb8ff373d6d09883d8b85831fbd3e378f22a0b5316a7d3
-
Filesize
705B
MD5c4c667f0e34226bf94227d3cadbf82fc
SHA182b7428cc0bb9d7b027e5514076689fc0b93fb0e
SHA2565228bfadb054b33578206c93ade2401e500566486090f6cbd92e48f96b693ae0
SHA512294a80a1a28c4fd23416a69a1a3f8f43a2e36495d813030b7364d972428b064ccf9b5bb53097dfe7c1fea8bb1ebf0cfb5bef22899406962decd001b1f362df2e
-
Filesize
705B
MD533c296acc2f46f149347c65e8d487aca
SHA10b4720718e524521d5ceab091427b6744a7c9a28
SHA256ca7637671c10e32e5dca6de235f0688f57bfb38595c703168c722634d225918d
SHA5124e37dbea313d0ca884ec8fed41fb395f0033612a85d03b60e3b474a0695decd3474eee8a2660d1e7c330d7dd40357fbb40fb0d79797f36862fc38d32aa10186d
-
Filesize
6KB
MD55490dd00f4f04c3a532138b0e3791180
SHA1a208f879e19e05e8a2567ff21f033857bac82739
SHA25697bfbceaf562563ddb72f522c9cba020a0f197236064dbb20a8929979d2e85b2
SHA512918e0f973be4871e661c6c2d00479a61cbd8c33955fed6ff1963da376d21837c279ed2cfb3919b0c4a3a9ec055e4d9006076c4d94588ba82de4d6ce39fcb2b58
-
Filesize
6KB
MD51cef8bf5fa804dc569ef2dbcbcf478f4
SHA1a43e0a34fbf471e0f10bd14751494e16c8173c3e
SHA256ba2b705ec2371f19b91b66969e30125a3096656e75c9389a49c2f20b41103139
SHA51200e938706ce001f7445fe8b901167d95399ea93028d933b594a48c9e416a068f77c7b1561304b748a84d0a43903a6759cb4b4dc575353cd14c4d82ecc12a4780
-
Filesize
114KB
MD5800fdea453ad7d805a77777d7248dad8
SHA128f09c5b322a340b99b5548cf7da712f62639807
SHA256e900ecfb3bb2b5e9514ae7478997f06f9bf16e33500a2e73b13662c44b76e38d
SHA512556b317e03f62392b11b770e087af0f9d94476c489d63856235f4935f48d50ed6704b87c8d8a4c09846460a60ded9fb6ed6afd60a5b05992067a070016023a81
-
Filesize
115KB
MD5549ca13f23f4094e8c884cfeab041d34
SHA1b8332a647e41bde872ad6044cf08c9ee9611c83e
SHA2562d3914558c8507fd2a9c42a07e56e776bccf2eb80a5c439ac44e09600c684221
SHA51242ac81808de3dc93cca552c4f0a1175482509557d4ec8692992b9e618aa58b35b3df67219c987a480f990f8e7a4aadaa0f91ea64f37402f1807a7dd8e55a8c5d
-
Filesize
114KB
MD5e6448587c22478a31e1e4dab3d63d79f
SHA1cc6949451e1766d415f4386c1bd6d64d00d81928
SHA256d106b20bbeb70b56b3baf08bf7a1be57769c471463477e28bd6a0e948757661d
SHA5127d133ec0eb6d4172c9fac63548f750d0c4c39b7148aee2b1e9b255760d6fd764840d07ca69bddd03b256634fe7aac2210c1e5d2d9482a7b577392464779e502b
-
Filesize
108KB
MD549053689112c90c0f399b7f7ff391b9f
SHA12649d3ee4a7dc56913e59d218f4cc6b06a5d82b0
SHA2569a2c7ddb34629921e0a0319b3e4fa9cddeee974d14cd6a4ffa404d9f0bee5525
SHA5127671c50115c3e17222ac8c37dcf7d97aee475b44f35b52d6f53cb8f9fee4b040f1bb757ed8bf79291862b40e9ced69b16a1bbcf9215f538354cb83a0ce4ed50d
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance_Advice_18_February_2024_Details_766717 (1).pif.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
326KB
MD5ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
Filesize
133KB
MD575f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5d7858e8449004e21b01d468e9fd04b82
SHA19524352071ede21c167e7e4f106e9526dc23ef4e
SHA25678758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA5121e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440
-
Filesize
141KB
MD5471c983513694ac3002590345f2be0da
SHA16612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
Filesize
579KB
MD53abd65d34fbbd87ce50eaa1b0eb439d0
SHA1ff225553cca948f35a0765f48b5b146f43bb4203
SHA256d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
SHA5123ce3c7fc6f0ae3706458e8079e50ad1e1d7235394528e001a107c5fa577badc9116f99639a3ff21fa169f941c56ba7df2b960ab0678c51b71cb6a5ae9070e616