Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 15:48
Static task
static1
Behavioral task
behavioral1
Sample
c0facaa9561e361afe9d92d38e2793a0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c0facaa9561e361afe9d92d38e2793a0.exe
Resource
win10v2004-20240226-en
General
-
Target
c0facaa9561e361afe9d92d38e2793a0.exe
-
Size
1.1MB
-
MD5
c0facaa9561e361afe9d92d38e2793a0
-
SHA1
135c63fbf3659951888c74dde12df75575664eca
-
SHA256
d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
-
SHA512
50f1dcda7ad25017241ba8f46494653e4f64e35a6af57a64ec149802f4e25124ff5d3adbdf81a4137bedb122e688987fa6f36ebfa45a9e0638803f9388965abb
-
SSDEEP
24576:nqqPzCBX6k4NCC0pOVXPbhH4DZ0XscH93EyLvWvfwi4Zm3:nqqGkRkCNFhH4DZ08cH93EyzwolZi
Malware Config
Signatures
-
Detect ZGRat V1 31 IoCs
Processes:
resource yara_rule behavioral2/memory/1172-57-0x0000000005B70000-0x0000000005D78000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-58-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-59-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-61-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-65-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-69-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-67-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-71-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-73-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-75-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-79-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-81-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-83-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-85-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-87-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-89-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-91-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-95-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-97-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-93-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-99-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-77-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-101-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-103-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-63-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-105-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-107-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-111-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/1172-109-0x0000000005B70000-0x0000000005D73000-memory.dmp family_zgrat_v1 behavioral2/memory/2024-1019-0x0000000005520000-0x000000000564A000-memory.dmp family_zgrat_v1 behavioral2/memory/4008-1988-0x0000000005480000-0x0000000005568000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BBLb.exe family_purelog_stealer behavioral2/memory/2024-1010-0x0000000000A50000-0x0000000000B90000-memory.dmp family_purelog_stealer -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
Dropakxa.exeDropaDkxa.exedescription pid process target process PID 1784 created 2660 1784 Dropakxa.exe sihost.exe PID 1452 created 2660 1452 DropaDkxa.exe sihost.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exeDropakxa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation c0facaa9561e361afe9d92d38e2793a0.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation vctuacx.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Dropakxa.exe -
Executes dropped EXE 17 IoCs
Processes:
vctuacx.exevctuacx.exeDropakxa.exeBBLb.exeDropakxa.exeDropakxa.exeBBLb.exeBBLb.exeBBLb.exeAttributeString.exeAttributeString.exeAttributeString.exeDropaDkxa.exeDropaDkxa.exeDropaDkxa.exeDropaDkxa.exeDropaDkxa.exepid process 896 vctuacx.exe 3964 vctuacx.exe 1172 Dropakxa.exe 2024 BBLb.exe 4548 Dropakxa.exe 1784 Dropakxa.exe 2236 BBLb.exe 4068 BBLb.exe 4008 BBLb.exe 3244 AttributeString.exe 5040 AttributeString.exe 1368 AttributeString.exe 1288 DropaDkxa.exe 1552 DropaDkxa.exe 1776 DropaDkxa.exe 424 DropaDkxa.exe 1452 DropaDkxa.exe -
Loads dropped DLL 1 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exepid process 4424 c0facaa9561e361afe9d92d38e2793a0.exe -
Processes:
resource yara_rule behavioral2/memory/4424-19-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral2/memory/4424-21-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral2/memory/4424-22-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral2/memory/4424-23-0x0000000000400000-0x0000000000663000-memory.dmp upx behavioral2/memory/4424-29-0x0000000000400000-0x0000000000667000-memory.dmp upx behavioral2/memory/4424-933-0x0000000000400000-0x0000000000663000-memory.dmp upx behavioral2/memory/4424-994-0x0000000000400000-0x0000000000667000-memory.dmp upx -
Suspicious use of SetThreadContext 8 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exeDropakxa.exeBBLb.exeAttributeString.exeDropaDkxa.exeAttributeString.exeInstallUtil.exedescription pid process target process PID 4800 set thread context of 4424 4800 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 896 set thread context of 3964 896 vctuacx.exe vctuacx.exe PID 1172 set thread context of 1784 1172 Dropakxa.exe Dropakxa.exe PID 2024 set thread context of 4008 2024 BBLb.exe BBLb.exe PID 3244 set thread context of 1368 3244 AttributeString.exe AttributeString.exe PID 1288 set thread context of 1452 1288 DropaDkxa.exe DropaDkxa.exe PID 1368 set thread context of 4828 1368 AttributeString.exe InstallUtil.exe PID 4828 set thread context of 532 4828 InstallUtil.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4332 1784 WerFault.exe Dropakxa.exe 4452 1784 WerFault.exe Dropakxa.exe 1616 1452 WerFault.exe DropaDkxa.exe 2688 1452 WerFault.exe DropaDkxa.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Dropakxa.exeDropakxa.exedialer.exeBBLb.exepowershell.exeAttributeString.exeDropaDkxa.exeDropaDkxa.exedialer.exeAttributeString.exepowershell.exepid process 1172 Dropakxa.exe 1172 Dropakxa.exe 1784 Dropakxa.exe 1784 Dropakxa.exe 3224 dialer.exe 3224 dialer.exe 3224 dialer.exe 3224 dialer.exe 2024 BBLb.exe 2024 BBLb.exe 2024 BBLb.exe 2024 BBLb.exe 3624 powershell.exe 3624 powershell.exe 3624 powershell.exe 3244 AttributeString.exe 3244 AttributeString.exe 1288 DropaDkxa.exe 1288 DropaDkxa.exe 1288 DropaDkxa.exe 1288 DropaDkxa.exe 1288 DropaDkxa.exe 1288 DropaDkxa.exe 1452 DropaDkxa.exe 1452 DropaDkxa.exe 4464 dialer.exe 4464 dialer.exe 4464 dialer.exe 4464 dialer.exe 1368 AttributeString.exe 1368 AttributeString.exe 4176 powershell.exe 4176 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exepid process 4800 c0facaa9561e361afe9d92d38e2793a0.exe 896 vctuacx.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
AUDIODG.EXEDropakxa.exeBBLb.exeBBLb.exepowershell.exeAttributeString.exeAttributeString.exeDropaDkxa.exeInstallUtil.exeInstallUtil.exepowershell.exedescription pid process Token: 33 2376 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2376 AUDIODG.EXE Token: SeDebugPrivilege 1172 Dropakxa.exe Token: SeDebugPrivilege 2024 BBLb.exe Token: SeDebugPrivilege 4008 BBLb.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeDebugPrivilege 3244 AttributeString.exe Token: SeDebugPrivilege 1368 AttributeString.exe Token: SeDebugPrivilege 1288 DropaDkxa.exe Token: SeDebugPrivilege 4828 InstallUtil.exe Token: SeDebugPrivilege 532 InstallUtil.exe Token: SeDebugPrivilege 4176 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exevctuacx.exepid process 4800 c0facaa9561e361afe9d92d38e2793a0.exe 896 vctuacx.exe 3964 vctuacx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c0facaa9561e361afe9d92d38e2793a0.exevctuacx.exevctuacx.exeDropakxa.exeDropakxa.exeBBLb.exeAttributeString.exeDropaDkxa.exedescription pid process target process PID 4800 wrote to memory of 896 4800 c0facaa9561e361afe9d92d38e2793a0.exe vctuacx.exe PID 4800 wrote to memory of 896 4800 c0facaa9561e361afe9d92d38e2793a0.exe vctuacx.exe PID 4800 wrote to memory of 896 4800 c0facaa9561e361afe9d92d38e2793a0.exe vctuacx.exe PID 4800 wrote to memory of 4424 4800 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 4800 wrote to memory of 4424 4800 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 4800 wrote to memory of 4424 4800 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 4800 wrote to memory of 4424 4800 c0facaa9561e361afe9d92d38e2793a0.exe c0facaa9561e361afe9d92d38e2793a0.exe PID 896 wrote to memory of 3964 896 vctuacx.exe vctuacx.exe PID 896 wrote to memory of 3964 896 vctuacx.exe vctuacx.exe PID 896 wrote to memory of 3964 896 vctuacx.exe vctuacx.exe PID 896 wrote to memory of 3964 896 vctuacx.exe vctuacx.exe PID 3964 wrote to memory of 1172 3964 vctuacx.exe Dropakxa.exe PID 3964 wrote to memory of 1172 3964 vctuacx.exe Dropakxa.exe PID 3964 wrote to memory of 1172 3964 vctuacx.exe Dropakxa.exe PID 1172 wrote to memory of 2024 1172 Dropakxa.exe BBLb.exe PID 1172 wrote to memory of 2024 1172 Dropakxa.exe BBLb.exe PID 1172 wrote to memory of 2024 1172 Dropakxa.exe BBLb.exe PID 1172 wrote to memory of 4548 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 4548 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 4548 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1172 wrote to memory of 1784 1172 Dropakxa.exe Dropakxa.exe PID 1784 wrote to memory of 3224 1784 Dropakxa.exe dialer.exe PID 1784 wrote to memory of 3224 1784 Dropakxa.exe dialer.exe PID 1784 wrote to memory of 3224 1784 Dropakxa.exe dialer.exe PID 1784 wrote to memory of 3224 1784 Dropakxa.exe dialer.exe PID 1784 wrote to memory of 3224 1784 Dropakxa.exe dialer.exe PID 2024 wrote to memory of 2236 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 2236 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 2236 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4068 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4068 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4068 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4008 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4008 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4008 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4008 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4008 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4008 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4008 2024 BBLb.exe BBLb.exe PID 2024 wrote to memory of 4008 2024 BBLb.exe BBLb.exe PID 3244 wrote to memory of 5040 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 5040 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 5040 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 1368 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 1368 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 1368 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 1368 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 1368 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 1368 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 1368 3244 AttributeString.exe AttributeString.exe PID 3244 wrote to memory of 1368 3244 AttributeString.exe AttributeString.exe PID 3964 wrote to memory of 1288 3964 vctuacx.exe DropaDkxa.exe PID 3964 wrote to memory of 1288 3964 vctuacx.exe DropaDkxa.exe PID 3964 wrote to memory of 1288 3964 vctuacx.exe DropaDkxa.exe PID 1288 wrote to memory of 1552 1288 DropaDkxa.exe DropaDkxa.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2660
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224 -
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464
-
C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 04⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exe"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe6⤵
- Executes dropped EXE
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe6⤵
- Executes dropped EXE
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Executes dropped EXE
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exeC:\Users\Admin\AppData\Local\Temp\Dropakxa.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 4486⤵
- Program crash
PID:4332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 4806⤵
- Program crash
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 04⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exeC:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe5⤵
- Executes dropped EXE
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exeC:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe5⤵
- Executes dropped EXE
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exeC:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe5⤵
- Executes dropped EXE
PID:424 -
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exeC:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 4206⤵
- Program crash
PID:1616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 4526⤵
- Program crash
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"2⤵
- Loads dropped DLL
PID:4424
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1784 -ip 17841⤵PID:1556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1784 -ip 17841⤵PID:5072
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe2⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1452 -ip 14521⤵PID:2244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1452 -ip 14521⤵PID:2380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1.2MB
MD571eb1bc6e6da380c1cb552d78b391b2a
SHA1df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90
-
Filesize
704KB
MD520d8bc77b286c2c0de4347d356f8bc0f
SHA110f4664c0361b0dc1f37c6b393f451b9ff836f11
SHA256a10a6603774bfd2623aa256882b47fa5480ea216ba3f99a23d8c96bb77e96247
SHA51296d64b2c24e36c1245d4986aa129a78bb13417efa95e712b590f4332853f2f04d1d731dec82d062b39f7b5043da81ccc91de91141dc0ffe0dbd0c4f68a698819
-
Filesize
512KB
MD57d4777ed6d9818a912c0cefc9f12dcfc
SHA148001b580d7a36f39823fd391411b3a32e39faba
SHA2566862447b716d9ebac197fad0eda503fc81576fd86de9871dbfb82586b60751f6
SHA512b898461eb44a0dd1958581a0e0cbb18b7d5ba88dcfc652bea73d84361936c1a90c40aacb4c3bf4dbfe424ddf441460c5342a5b5acb5f6605d355cefc62890414
-
Filesize
2.1MB
MD51a917a85dcbb1d3df5f4dd02e3a62873
SHA1567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
35KB
MD5e3a6587ba5a4ee4514ecaa4265dd9b2c
SHA1b44bb9b5fc3478fa6ea5140603857ee0c2d4c4fd
SHA256566934a049ae41fe36e2e122825875e5c02d4db083e744a7a3c94f456cec2f94
SHA51290f4e5ceac00a0815452ef951feb3aa29e6ef408d8d4cda023c3fdd49ba0238e06589cee9cc0be842eddd1b02bd1d448d9ab8bdaed70651b38d6074c9f99d22f
-
Filesize
140KB
MD5d6bfa5d4d5d67dd73013e5b400cac2e7
SHA1725f7fec0fd1f245c44ab1c228cd349a5e12bd71
SHA256fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
SHA512e5d58b64de4d398290d0cd79d44a516ca2528bd183566926ea1f3b9211b20fa5c2244bcc8bd3cc1f3b1d470dc257b72b8d3530d682fff00b7b52227c6c3c7808