Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-03-2024 15:48
Static task
static1
Behavioral task
behavioral1
Sample
c0facaa9561e361afe9d92d38e2793a0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c0facaa9561e361afe9d92d38e2793a0.exe
Resource
win10v2004-20240226-en
General
-
Target
c0facaa9561e361afe9d92d38e2793a0.exe
-
Size
1.1MB
-
MD5
c0facaa9561e361afe9d92d38e2793a0
-
SHA1
135c63fbf3659951888c74dde12df75575664eca
-
SHA256
d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
-
SHA512
50f1dcda7ad25017241ba8f46494653e4f64e35a6af57a64ec149802f4e25124ff5d3adbdf81a4137bedb122e688987fa6f36ebfa45a9e0638803f9388965abb
-
SSDEEP
24576:nqqPzCBX6k4NCC0pOVXPbhH4DZ0XscH93EyLvWvfwi4Zm3:nqqGkRkCNFhH4DZ08cH93EyzwolZi
Malware Config
Signatures
-
Detect ZGRat V1 31 IoCs
Processes:
resource yara_rule behavioral1/memory/1148-52-0x00000000049A0000-0x0000000004BA8000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-53-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-54-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-56-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-58-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-60-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-62-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-64-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-66-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-68-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-70-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-72-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-74-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-76-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-78-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-80-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-84-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-87-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-91-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-93-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-89-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-97-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-95-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-99-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-101-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-105-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-107-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-103-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1148-82-0x00000000049A0000-0x0000000004BA3000-memory.dmp family_zgrat_v1 behavioral1/memory/1612-1016-0x0000000004DA0000-0x0000000004ECA000-memory.dmp family_zgrat_v1 behavioral1/memory/1756-1986-0x0000000004870000-0x0000000004958000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\BBLb.exe family_purelog_stealer behavioral1/memory/1612-1006-0x0000000000130000-0x0000000000270000-memory.dmp family_purelog_stealer \Users\Admin\AppData\Local\Temp\BBLb.exe family_purelog_stealer C:\Users\Admin\AppData\Local\Temp\BBLb.exe family_purelog_stealer C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe family_purelog_stealer C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe family_purelog_stealer behavioral1/memory/1204-5194-0x0000000000C90000-0x0000000000DD0000-memory.dmp family_purelog_stealer -
Downloads MZ/PE file
-
Executes dropped EXE 19 IoCs
Processes:
vctuacx.exevctuacx.exeDropakxa.exeBBLb.exeDropakxa.exeDropakxa.exeDropakxa.exeDropakxa.exeDropakxa.exeDropakxa.exeDropakxa.exeDropakxa.exeDropakxa.exeDropakxa.exeBBLb.exeDropaDkxa.exeDropaDkxa.exeAttributeString.exeAttributeString.exepid process 2308 vctuacx.exe 2880 vctuacx.exe 1148 Dropakxa.exe 1612 BBLb.exe 2832 Dropakxa.exe 1992 Dropakxa.exe 2172 Dropakxa.exe 2888 Dropakxa.exe 1744 Dropakxa.exe 2276 Dropakxa.exe 2464 Dropakxa.exe 2576 Dropakxa.exe 2816 Dropakxa.exe 2564 Dropakxa.exe 1756 BBLb.exe 2092 DropaDkxa.exe 3032 DropaDkxa.exe 1204 AttributeString.exe 612 AttributeString.exe -
Loads dropped DLL 26 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exec0facaa9561e361afe9d92d38e2793a0.exevctuacx.exeDropakxa.exeBBLb.exeDropaDkxa.exeWerFault.exepid process 1152 c0facaa9561e361afe9d92d38e2793a0.exe 1152 c0facaa9561e361afe9d92d38e2793a0.exe 2308 vctuacx.exe 1988 c0facaa9561e361afe9d92d38e2793a0.exe 2880 vctuacx.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1612 BBLb.exe 2880 vctuacx.exe 2092 DropaDkxa.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe -
Processes:
resource yara_rule behavioral1/memory/1988-13-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral1/memory/1988-16-0x0000000000400000-0x0000000000663000-memory.dmp upx behavioral1/memory/1988-15-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral1/memory/1988-25-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral1/memory/1988-24-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral1/memory/1988-18-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral1/memory/1988-49-0x0000000000400000-0x0000000000663000-memory.dmp upx behavioral1/memory/1988-85-0x0000000000400000-0x0000000000667000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exeBBLb.exeDropaDkxa.exeAttributeString.exeAttributeString.exedescription pid process target process PID 1152 set thread context of 1988 1152 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 2308 set thread context of 2880 2308 vctuacx.exe vctuacx.exe PID 1612 set thread context of 1756 1612 BBLb.exe BBLb.exe PID 2092 set thread context of 3032 2092 DropaDkxa.exe DropaDkxa.exe PID 1204 set thread context of 612 1204 AttributeString.exe AttributeString.exe PID 612 set thread context of 1064 612 AttributeString.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2128 3032 WerFault.exe DropaDkxa.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Dropakxa.exepowershell.exeAttributeString.exepowershell.exepid process 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 1148 Dropakxa.exe 2664 powershell.exe 612 AttributeString.exe 612 AttributeString.exe 1732 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exepid process 1152 c0facaa9561e361afe9d92d38e2793a0.exe 2308 vctuacx.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Dropakxa.exeBBLb.exeBBLb.exepowershell.exeDropaDkxa.exeAttributeString.exeAttributeString.exeMSBuild.exepowershell.exedescription pid process Token: SeDebugPrivilege 1148 Dropakxa.exe Token: SeDebugPrivilege 1612 BBLb.exe Token: SeDebugPrivilege 1756 BBLb.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2092 DropaDkxa.exe Token: SeDebugPrivilege 1204 AttributeString.exe Token: SeDebugPrivilege 612 AttributeString.exe Token: SeDebugPrivilege 1064 MSBuild.exe Token: SeDebugPrivilege 1732 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exevctuacx.exepid process 1152 c0facaa9561e361afe9d92d38e2793a0.exe 2308 vctuacx.exe 2880 vctuacx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exevctuacx.exeDropakxa.exeBBLb.exedescription pid process target process PID 1152 wrote to memory of 2308 1152 c0facaa9561e361afe9d92d38e2793a0.exe vctuacx.exe PID 1152 wrote to memory of 2308 1152 c0facaa9561e361afe9d92d38e2793a0.exe vctuacx.exe PID 1152 wrote to memory of 2308 1152 c0facaa9561e361afe9d92d38e2793a0.exe vctuacx.exe PID 1152 wrote to memory of 2308 1152 c0facaa9561e361afe9d92d38e2793a0.exe vctuacx.exe PID 1152 wrote to memory of 1988 1152 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 1152 wrote to memory of 1988 1152 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 1152 wrote to memory of 1988 1152 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 1152 wrote to memory of 1988 1152 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 1152 wrote to memory of 1988 1152 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 2308 wrote to memory of 2880 2308 vctuacx.exe vctuacx.exe PID 2308 wrote to memory of 2880 2308 vctuacx.exe vctuacx.exe PID 2308 wrote to memory of 2880 2308 vctuacx.exe vctuacx.exe PID 2308 wrote to memory of 2880 2308 vctuacx.exe vctuacx.exe PID 2308 wrote to memory of 2880 2308 vctuacx.exe vctuacx.exe PID 2880 wrote to memory of 1148 2880 vctuacx.exe Dropakxa.exe PID 2880 wrote to memory of 1148 2880 vctuacx.exe Dropakxa.exe PID 2880 wrote to memory of 1148 2880 vctuacx.exe Dropakxa.exe PID 2880 wrote to memory of 1148 2880 vctuacx.exe Dropakxa.exe PID 1148 wrote to memory of 1612 1148 Dropakxa.exe BBLb.exe PID 1148 wrote to memory of 1612 1148 Dropakxa.exe BBLb.exe PID 1148 wrote to memory of 1612 1148 Dropakxa.exe BBLb.exe PID 1148 wrote to memory of 1612 1148 Dropakxa.exe BBLb.exe PID 1148 wrote to memory of 2832 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2832 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2832 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2832 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 1992 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 1992 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 1992 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 1992 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2172 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2172 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2172 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2172 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2888 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2888 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2888 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2888 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 1744 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 1744 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 1744 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 1744 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2276 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2276 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2276 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2276 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2464 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2464 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2464 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2464 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2576 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2576 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2576 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2576 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2816 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2816 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2816 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2816 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2564 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2564 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2564 1148 Dropakxa.exe Dropakxa.exe PID 1148 wrote to memory of 2564 1148 Dropakxa.exe Dropakxa.exe PID 1612 wrote to memory of 1756 1612 BBLb.exe BBLb.exe PID 1612 wrote to memory of 1756 1612 BBLb.exe BBLb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 04⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exe"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 04⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exeC:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe5⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1246⤵
- Loads dropped DLL
- Program crash
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"2⤵
- Loads dropped DLL
PID:1988
-
C:\Windows\system32\taskeng.exetaskeng.exe {F9F9DEE9-A1F5-4B36-B2D0-38B672C559E7} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:S4U:1⤵PID:2708
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
C:\Windows\system32\taskeng.exetaskeng.exe {6A780D5A-0870-4CAE-9340-956D20C03FFB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:960
-
C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
510KB
MD52738e6311dfb65c10746a7e823f9c420
SHA1dff9f71a4ec25e8bb172629618416bc404a4cd49
SHA2560da7fc29b321a65e7244308f99d4370a67a81c2b9407aedbee4e5a97cfde44e3
SHA51270dbcbdecfe67d2507b09b30906a8760abdf69588287543e8251022347d98697dd051bae0c82dc2918d20f11d508e7b7273ffc68e2661d72ccb47194246d5a60
-
Filesize
1.2MB
MD56a84fb8031a6073d6f4d9f3dac12f277
SHA119a5b6e4a107857da24779d92f446729f02825f0
SHA256f2633b79deed5997488498e8d3ba0bc51a4eb3a3afcc05d431b15870b1d1cf0e
SHA512b075312ad68787dfe670a7cee5323d8512f99fc3af6f3dd53f2ba9856a0f133681ed605c81da1a87bc58432c7d9db0a225342b091158c9cd0c1eeabbeb26e1e5
-
Filesize
1.2MB
MD5eb204f6dab7cf388aaab7888ee65d05f
SHA1db6939b8790fa8bd6389d0677372ac1ca9cf7ce2
SHA256751bc8e153fb220c1f91fb9fbe128cc6e5818b06468f766c75a7154acbb0f37e
SHA51257ae37eb1bfc9ef21fbce4568957ddc22988d90d610b9dcb1d0a53e4c35a838119f1ec750cac3a943bf5e58955c223d0a244362e8cf92e9a9fb039d78170077f
-
Filesize
1.1MB
MD5d2a7797f65d6b62f3713eddcaf73750c
SHA120f0368240a9f8efd5f0445a2c7f325539b2b32f
SHA256096d84ea8e861cbf3b62f9f6761a1d0cb166fda236c296449a9a4cd67da8eab2
SHA51270aa5e1d1aff6f0354c90e03e45d16764c444d0a4b7b4ee3e559ba782be01811030c76b85c53121002fc6c8aacfc1f9bef44e2c7b12f0cffdaff545708766e04
-
Filesize
1.2MB
MD516e2a532137be4ad240133f4aa246c32
SHA1ed2342853ae2b4cd5303ee56037501a2d89b515e
SHA256d30845a4bc7a48cfbdfe6d977c3deac99f5d5f59f6a7c688999676e10608f960
SHA5126c0c4c6495da845496e7ed5783fe199a721ebedc75504d7afc08bb0bfc2797e77331eddd79e2a727a87457b6000f4776cf1c467c32d895908c0eae7c46a2224e
-
Filesize
1.4MB
MD556bac36092872b5f22da31df51937a45
SHA1fc3f340694ff92560bfd4dc1f71f7a405d29ad89
SHA2568637f7717ca9131a408987ca277555edf2b6fdc890f769e892d77300a7f623e9
SHA512c1910d8c806306cc36c735e97c495a3f0e8b591c4e0b48eac7ca7c273a7ddfa6d7439a9112a17c19727e95dda0d7cc2b5e7869b17e43d69c3c9572b985a697db
-
Filesize
1.3MB
MD5c57b4de6823f4782aaffe1739af664e5
SHA1a5bdd27957394b06ed5739c7cfcc4e513a3f36c0
SHA256c13dd20cddbff666755cd9fe5e8073c2d97889393d29c0a9b97a010f2828f068
SHA512e6e9a70cef18f516e0a3cdd5f64d928c1e248811c6d1be515e073ddc27fc0c57df96f7575089b9d44c534a98cc30970fd8c1303e65c6b5561c711415163a57f3
-
Filesize
128KB
MD53d9ff8a504031fbbd2d866828ee7a642
SHA1bd70d5e1e4e983ab855c19cc5021a193e0f43922
SHA25682774139d6d23804accfc50c556856d472a79811deae8ffd52f0feb65bfeec9e
SHA51243404ddd65207b94b80d27b0de35d5a17f7dec268567036f850b106543ef0993c57160e719ef0d9da9682dfc5b05f5dcd4a51751c588136ebead1efd6609f29a
-
Filesize
1.0MB
MD577a9af8a6f2aa1d2e088ddc9e4744898
SHA1756bdbae22fe5efb2d5ce857f6b9e350875270ee
SHA256d67b926f192cab5e8defb5ff22bbf79e3db1461b891c8644cd4e1442c577026d
SHA51214dfd6adecf9b9d4f88a15f15cc52c62f9ee2f75d3d494f91061064c9cf543c164083528f211e8a2c273c94386cc5892c051eee64bb88e72700e7e5cb368d7ce
-
Filesize
64KB
MD5d2c8ab0106d33d9a0b1fd939198f4224
SHA153ef0dbc5735486a5b8288a16e77fb71a967ba8c
SHA2561a0a89b5faf16dac66cf7f64767b41cb6d41bea97b37b8c56b17d79da99390c9
SHA512e5707b62186cd62c45951005681065ac87a62fb1400693205e5639dc7f453a09b8b85422320dfa697c36447d8a7b74e812443800bf0c84f038ae42709fdd68c0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
979KB
MD57cb9f2b9fc46e1d7c81aacf1918b635e
SHA163820b7c3e92e2c3622f95c7246f2405e5a1ec8f
SHA2566aef22390f556ce1c6e57e3a482a07c925c85d2fd26969090b06a3ae647bd6a0
SHA512aa5e3d485113b046306ad59815d51bc2046f655b02becd7254964c4bd7c3b558e33cdee01b1cd9405ac9db8663641a4c630a347268d7aecd3778d282ed08bcc4
-
Filesize
804KB
MD5901647add3d61eabca6f4ccd981cd457
SHA1923f4be54c26ff574d5d737d118655e53821c0ba
SHA2562b1d616e3c1944126c18bcdf81bca6a65f15bc8cd654b106408c5d34cdb719b7
SHA512ae733fa86116c9781586266bc5513b1b32f85f5262c29d4b9fedc4af668e1a6afcff5fe32b7faf7a554fc8b58c71b0e2104fdac7fb0ae3568838cd81e630261b
-
Filesize
942KB
MD5bf5e6f7ad139d9b44c959fab6126ae48
SHA1b511e899b4f47577b11286b6e134dbe0a5659147
SHA25612bf6f4e44962ea92999c3fcc6751b2f0f8d163be9ae7b290cfba8d7dee432e3
SHA512f0c4f5c6984d14ee60913c2784cf9ccd7904a254b46f7bca67aa3eb349dfd5956900e66c80dbae1e084b71ae7555d9a7ac56b2d42801c7a990f368daa78fba81
-
Filesize
2.1MB
MD51a917a85dcbb1d3df5f4dd02e3a62873
SHA1567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec
-
Filesize
1.8MB
MD5a57729fb7bff6062d9aae738e04b264f
SHA1152b25d01d4042f9a17ad76a0f4cdd90a90005e7
SHA256541e3a75f3d258e30c211866fe1b75e573dfd00e8488d10d1e6fafa17d0bf145
SHA512059fed22bb1094accd1ce156827aaede68269bc1c6ea8bcce1992117239df9923ddb02c7619d9f55723199dfda6278316b53c74af72e62233ef9dc96cd6c1bf9
-
Filesize
508KB
MD5b0ff12175629c451084af8d40925bab0
SHA1adbc6f27fe0094fd2f7788080e817f4cd2cebce8
SHA2568c7089f8b1dc687eb609a76ac6bebf67b3d90168604ea624ddc8c206b19f91c0
SHA51260efb4c9c1c0e4310252392de96dc8762d9e5529ba5e292b98aef7f207e2c4f58b67cb7819060828967a02ffdf352ee624b65e40d807ba5e4cdcfe6498430b62
-
Filesize
494KB
MD5926982c446e011078d140355fb07f929
SHA121615be164d751111bcce74a1e3029e8a830979a
SHA25666746a1531182809a7ae7c514b5858840548a715847aca6d5bef0de05dc606d0
SHA51232ce88d80e2a5574f2317f894c2e64128b043be80c7a9580eaf0a0bf229d6390b7ebde3dc0c64fc9a11c9ac6834aea73a50fb87dae3d59f1a0d11e22cac0ec13
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a7794532b8bc992e4524df357873026e
SHA1ce0898e1e07ac2afbbdf0728935283d780a43723
SHA2566191e7e154da4491e85dceca26db9d2b4c9cca88180dea4c71b568a8900ed36c
SHA51227eed2b3ee31f2762915ce6772a3e9bdc3ac552cf5296b23f21ec8752b8727824465d01dad6c6f244348632ffedb01b4825aeddf6b9e64326078e2c913bda912
-
Filesize
1.2MB
MD571eb1bc6e6da380c1cb552d78b391b2a
SHA1df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90
-
Filesize
1.1MB
MD5c43f9e71adc553cfd066fff8faa951fc
SHA1b42ed3117d59c78a9aae1f3808239c8396478cd7
SHA256067522f8c4d0832c9c7495fb46638aa41e0387994284fab89e0ac6885f6a76a8
SHA512d1822bc87a5bbbd34e2c374cd4eb384f5b965671215e6e70a6f59b07b5fcacbcfcfcd678d8894ffe818861a6694a32b9414d57d45143a5a6908431b77f4b2748
-
Filesize
1.8MB
MD5ad7af059b52c2a4f24bffd563b27bcb3
SHA1ce0d642c692f1c23c838c5d4232c9d2261bf5e1c
SHA2560bc77bf0a4624a031179c2e502e650f3533e1c62cfdc3f555210317322c98d64
SHA51275a9c7f3b87405d1d56e5c1a81dd8b20394bfb5a50af15c685f63a5651c6607f8152841453ef1403a8b26c3fd8f14de80ab20d3fb261e7655476d3d8cc56acd9
-
Filesize
1.4MB
MD5c017ac6363e7d39abbecf8347cd479fd
SHA130cd34b1a7d5e981b6f5653cf478999aa76b7792
SHA2560a04e77d164bf3eb3c96910b0e5b6bc6709d79fa0065a1a7dd9bbbfb414a2fb5
SHA51235253cb41f963b6d1d5f151677d5e62bc2f34f789e56b8730b9fb90fa6384f7c850bd5127113090a863084f8a90de6c824033323fbcd52fe6dcb8734d41dc602
-
Filesize
81KB
MD5b7a65e28d323e7ccc6727daafae7fede
SHA1524e1b10ef8b50e16413a9feb90ca3aa2196c06c
SHA256e9a73f79b31c109d68ccd29d78589676265f9c0b1fccb18f784f43b1efa36767
SHA5127ec76f0e181841fdfa001179e4160ad713072a787557f8d194dde9b7f8066c50069e5400d2fce6c39bb9f383396b9fe755409bb8f3640a77d106d88cf5aecd71
-
Filesize
115KB
MD58185a69623e729994f4919d4559d4f25
SHA189645e506f85348f56b9efe2b328a2cb79080846
SHA256c9f8af665c4d958cd778d72013e667ae8c92312776e7a1795c80ca3822ed1ab0
SHA512ccd921fbf5f689fb56c3ad257160a7910d2484629ae9c9241097156142bec3d0bec0bca25c770a5bc2fda02c55af099e3429d2e41f2b32480f8331f2c386acee
-
Filesize
44KB
MD5c6afb0c004d21f8fdc5466e5b9570246
SHA1da3585ad7f8b9b48c1b4936257881f9dd307d52a
SHA256ebdbf9249394834c3ea133f8cbfc144a59e427f60c99317cba9ac73d58eb941d
SHA51299e7804b085a459c9570174f8af4fc0cb71749422c111380ca0a77f195ea19fd6dd6c6901bd1a9e68b2d74e3478e63c19bfec63c0a53674d82acd946c84dbc37
-
Filesize
61KB
MD57aa0db0511abc4d54de27b5ee07934dd
SHA104ed31bae856de6b79b2e0fb9d4cb18a5ef30d74
SHA256a39f715893992c0370a7196ab0f78e090c27785ea83ff4fa31288edba32e0c36
SHA51278ca8b8f41c2495b13f837696ffd5c719177db7e19ef4c8b373c6c1ba206eac847c173420add7e31ab9e73114db087ef74b3fa0029438459e22d7405ba90ec58
-
Filesize
90KB
MD5bf61f338cc128a606e19a45341002853
SHA1a34b4b29d7d486b846b862ff90ce8154e2cce612
SHA256d5a856e0f918694ab607ae59f12a06bb2451a43747a38fad3cd8683b1f844a08
SHA51276d37bdfff437211bfe9b3f85d24dab44bb8775aa50abaf40a24c279f8ade4e09e49abec4c0d0d789b2b5d576b29bd806bcf6a3c5db64b8a00f4f650c687db02
-
Filesize
52KB
MD5e61fe70d671ca6e00aa25f8b815fad9d
SHA12b468f1cb1fb761fc97fadcf40fe20da4507f44e
SHA256775d577ee31ec9dc960bae075095e86f4f27c843e8cf55ad7cdce1d67d554f88
SHA512a42bf88b9ba7dcd096582d0e81d6edb724c56388074e6f4f02c72b78f5eac2e910a28f407c232d8fe84dbfd7fe6dbb99df21d7996f2fea8c7071296c8808d7f9
-
Filesize
1.6MB
MD5befdec4920dc463a48214a64e3a3fc57
SHA13f2f468d3199e61aeb9805179fee3bf3e69b40e0
SHA256670bed58b303646141f7c6de74e2651293494182335d421a02b40fa33ea66780
SHA512e989f5eee83e2e2818620451431aa21b598ef666b71be1f3b01fedf904c1fe5d700cdb003b4a89b348412ed2263f76387b884b63c1428eea04047b11e8e2b370
-
Filesize
954KB
MD5e3037f3e2b965b491948505ea85c3b65
SHA1ad6272397cb611bae7141363d050f91d47b99b97
SHA256e54c79f902772f59681cadbd5115fe5a6e753eadcaeaa3b69d6dc3bb84a4129b
SHA51274fba3e9dd6bd73f54b1fa691713235188d4c69961122eedfae0bd1b12cb401978017bc68516924525267ead97b2794f2f6d2ced4a3ef46ef2b41665a1c6de5a
-
Filesize
1.7MB
MD5715b62e332a0b52b690bb724d56a43cc
SHA10855176779c6d75642d64edc682ca8b11756410f
SHA256751be823130da932b588761b596984f8a896b0c88da34981945a2d0de8f1ec96
SHA5126dc536b007d12790de713f5eb71d3d29ad395f9bbb8b3ae1452f699e030fac7476752cb0469d846cda0893e5beb615d423ff8e6f4aa0bb8e3b8691610dc77eb5
-
Filesize
1.0MB
MD5d470c5acd68b7528856836ae90a3b395
SHA1a3aa63951f1e70cc1a3b2fa36b9373de194244da
SHA25623d6df0dd3cab83fd927d6602c5ffdd3b87f3e0ed03d386b2d9eb255c54d131e
SHA51246d0494169c56952caad58cd63c9e2064fea60e9ec4ae85a93acc73152690114eab51f65c5b7ad1bb203452e59fbd22e7a5ee2fd6c331ca24a88052f85fe648e
-
Filesize
192KB
MD52a86f6ec50089c5e50a07dcd113ff65b
SHA16e419db1a719a214164ec46d58b5aac4ea9f4ada
SHA256a502e3afa1a6207c43789ce9b866012041be2241c0c26feeded4ef82bb5eade4
SHA512e088d2bd5a5fb6b3f681e37fe68c386f704001fe0b6c8f5dbe25b14cf833d1c27ce0c18a4ad4aed7313b4b8444436fd6a71b6510688920f081fb7f287a2fd1eb
-
Filesize
941KB
MD5c84b71ce414bcbcc310ac6ed6316cf19
SHA13272c21fd9948783694627f05ce65a8cdfa793b2
SHA256e0c20b2b6bb4248c295c2c518a7e0efd502850cd5794b6d19f1f070342f378fe
SHA512ba31cb0046617ef884337b4e57f322f2ad834725762e13f8ce0ba2f89182ca539dcb00d6ce94c301e510768787844142e5375198cd42f6e951179e86f35ee6ed
-
Filesize
1.0MB
MD521d13f88cf023762c741bbb8e3d5e0f1
SHA12d679ab260b243e5a6d49422fe4406c5eac81f3c
SHA256c7ee4abe275207aa56e8a519fc92af8c8cbb3b452b7adc2b8aacf20e5587fce2
SHA512bfd53d113d5799248adde1beba931cf7bbea5e760f26eb9fd17c4b9d48a8283b9f969cc0b9bdcfd3126cd5da650515d3e117eaea666c1ee2f13dabcf5fd408f2
-
Filesize
786KB
MD59f99821463ee96b48d882e7fe44f30c2
SHA102dcbe14da05fd90342149b2bef2f93cc1073b40
SHA256b58c672da752eb3a20a1bbc2f8b3ba71884998c241cae72da7bb1872a679085c
SHA512283ff20a7fe1a74a331c9c3acfbdbf4061858bed17d7d1279a3819b75d45965e4c1b52775ac98ebc6f45ae40ddaf3244235a8bb61c2be2618fd512aa86f25180
-
Filesize
19KB
MD52b41b95af46b68453332f2a18119c087
SHA1342b41f904d868f88bfb10cff44079ec67039b15
SHA2561f0196686bc4c083e0aad18182707e6e77ac75f566037e586c8fe5aa974eafea
SHA51224a16927e93b45b4af7aec10f9b0aaccbadbc152c0a9cc7000c05164691794bbba870669a96b95827c36f382ee0a5a652b492538bbd33a66eefa46227b0e0732
-
Filesize
761KB
MD5305145814473e0c4e5c7f29ccdca213a
SHA18579674138f71bbe2339801db6966263d7bac518
SHA256e431cea88bd0ba9b80cb47e2705148e473b1076296e501a3d873db7b3a150da7
SHA5120f759a1f8824143489f44c300999db31b576572e28f77b4c8f3589a88717df3e53908d330c932fcb8e3c4264f3912baa1302b29231447365c3f136f3d8761aee
-
Filesize
2.0MB
MD56dad17a1d628886f2c1d5d73ebfbf744
SHA1272c79fe0abaa326f156e47e8d0ee028b6b4b1bb
SHA25623c70c027597b9c028871567652d1cc901f73f03c9600086ec9a9b99df0efda2
SHA5127e108e46f005116a2be1fe86bd7c654c77b9e96b2ce0b5e2693642259c83099022790aa4e456c2c96aad6329eaacb734dccc1a971c15e31c705454d8b6245b98
-
Filesize
35KB
MD5e3a6587ba5a4ee4514ecaa4265dd9b2c
SHA1b44bb9b5fc3478fa6ea5140603857ee0c2d4c4fd
SHA256566934a049ae41fe36e2e122825875e5c02d4db083e744a7a3c94f456cec2f94
SHA51290f4e5ceac00a0815452ef951feb3aa29e6ef408d8d4cda023c3fdd49ba0238e06589cee9cc0be842eddd1b02bd1d448d9ab8bdaed70651b38d6074c9f99d22f
-
Filesize
140KB
MD5d6bfa5d4d5d67dd73013e5b400cac2e7
SHA1725f7fec0fd1f245c44ab1c228cd349a5e12bd71
SHA256fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
SHA512e5d58b64de4d398290d0cd79d44a516ca2528bd183566926ea1f3b9211b20fa5c2244bcc8bd3cc1f3b1d470dc257b72b8d3530d682fff00b7b52227c6c3c7808