Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 04:29
Static task
static1
Behavioral task
behavioral1
Sample
11dcd8e017b0e067e922cfb6507a8dde.exe
Resource
win7-20240220-en
General
-
Target
11dcd8e017b0e067e922cfb6507a8dde.exe
-
Size
421KB
-
MD5
11dcd8e017b0e067e922cfb6507a8dde
-
SHA1
80c4e499c9666401a0f9099482c7fa9debe006d5
-
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
-
SHA512
52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
SSDEEP
6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
asyncrat
0.5.8
Default
94.228.162.82:6606
94.228.162.82:7707
94.228.162.82:8808
YBc01FE5mcOd
-
delay
3
-
install
true
-
install_file
appBroker.exe
-
install_folder
%AppData%
Signatures
-
Detect Vidar Stealer 7 IoCs
resource yara_rule behavioral1/memory/1676-54-0x0000000000230000-0x0000000000265000-memory.dmp family_vidar_v7 behavioral1/memory/1676-55-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/memory/1676-184-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/files/0x0006000000016f7e-190.dat family_vidar_v7 behavioral1/memory/1568-233-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/memory/1568-324-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/memory/2156-326-0x0000000004BE0000-0x0000000004C20000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral1/memory/1668-361-0x00000000053E0000-0x000000000547C000-memory.dmp family_zgrat_v1 behavioral1/memory/1668-385-0x00000000057D0000-0x0000000005832000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000600000001748d-240.dat family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 35 1748 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 2792 Dctooux.exe 1676 vidar.exe 1568 vidar.exe 2156 AsyncClient.exe 1668 appBroker.exe -
Loads dropped DLL 21 IoCs
pid Process 1740 11dcd8e017b0e067e922cfb6507a8dde.exe 1740 11dcd8e017b0e067e922cfb6507a8dde.exe 2792 Dctooux.exe 2792 Dctooux.exe 2988 rundll32.exe 2988 rundll32.exe 2988 rundll32.exe 2988 rundll32.exe 2792 Dctooux.exe 2792 Dctooux.exe 2792 Dctooux.exe 1744 rundll32.exe 1744 rundll32.exe 1744 rundll32.exe 1744 rundll32.exe 2792 Dctooux.exe 1696 cmd.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job 11dcd8e017b0e067e922cfb6507a8dde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 612 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 336 timeout.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vidar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 vidar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vidar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vidar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 vidar.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2156 AsyncClient.exe 2156 AsyncClient.exe 2156 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2156 AsyncClient.exe Token: SeDebugPrivilege 1668 appBroker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1740 11dcd8e017b0e067e922cfb6507a8dde.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2792 1740 11dcd8e017b0e067e922cfb6507a8dde.exe 28 PID 1740 wrote to memory of 2792 1740 11dcd8e017b0e067e922cfb6507a8dde.exe 28 PID 1740 wrote to memory of 2792 1740 11dcd8e017b0e067e922cfb6507a8dde.exe 28 PID 1740 wrote to memory of 2792 1740 11dcd8e017b0e067e922cfb6507a8dde.exe 28 PID 2792 wrote to memory of 1676 2792 Dctooux.exe 30 PID 2792 wrote to memory of 1676 2792 Dctooux.exe 30 PID 2792 wrote to memory of 1676 2792 Dctooux.exe 30 PID 2792 wrote to memory of 1676 2792 Dctooux.exe 30 PID 2792 wrote to memory of 2988 2792 Dctooux.exe 35 PID 2792 wrote to memory of 2988 2792 Dctooux.exe 35 PID 2792 wrote to memory of 2988 2792 Dctooux.exe 35 PID 2792 wrote to memory of 2988 2792 Dctooux.exe 35 PID 2792 wrote to memory of 2988 2792 Dctooux.exe 35 PID 2792 wrote to memory of 2988 2792 Dctooux.exe 35 PID 2792 wrote to memory of 2988 2792 Dctooux.exe 35 PID 2792 wrote to memory of 3032 2792 Dctooux.exe 36 PID 2792 wrote to memory of 3032 2792 Dctooux.exe 36 PID 2792 wrote to memory of 3032 2792 Dctooux.exe 36 PID 2792 wrote to memory of 3032 2792 Dctooux.exe 36 PID 2792 wrote to memory of 1568 2792 Dctooux.exe 37 PID 2792 wrote to memory of 1568 2792 Dctooux.exe 37 PID 2792 wrote to memory of 1568 2792 Dctooux.exe 37 PID 2792 wrote to memory of 1568 2792 Dctooux.exe 37 PID 2792 wrote to memory of 1744 2792 Dctooux.exe 38 PID 2792 wrote to memory of 1744 2792 Dctooux.exe 38 PID 2792 wrote to memory of 1744 2792 Dctooux.exe 38 PID 2792 wrote to memory of 1744 2792 Dctooux.exe 38 PID 2792 wrote to memory of 1744 2792 Dctooux.exe 38 PID 2792 wrote to memory of 1744 2792 Dctooux.exe 38 PID 2792 wrote to memory of 1744 2792 Dctooux.exe 38 PID 2792 wrote to memory of 2156 2792 Dctooux.exe 39 PID 2792 wrote to memory of 2156 2792 Dctooux.exe 39 PID 2792 wrote to memory of 2156 2792 Dctooux.exe 39 PID 2792 wrote to memory of 2156 2792 Dctooux.exe 39 PID 2156 wrote to memory of 904 2156 AsyncClient.exe 41 PID 2156 wrote to memory of 904 2156 AsyncClient.exe 41 PID 2156 wrote to memory of 904 2156 AsyncClient.exe 41 PID 2156 wrote to memory of 904 2156 AsyncClient.exe 41 PID 2156 wrote to memory of 1696 2156 AsyncClient.exe 43 PID 2156 wrote to memory of 1696 2156 AsyncClient.exe 43 PID 2156 wrote to memory of 1696 2156 AsyncClient.exe 43 PID 2156 wrote to memory of 1696 2156 AsyncClient.exe 43 PID 904 wrote to memory of 612 904 cmd.exe 45 PID 904 wrote to memory of 612 904 cmd.exe 45 PID 904 wrote to memory of 612 904 cmd.exe 45 PID 904 wrote to memory of 612 904 cmd.exe 45 PID 1696 wrote to memory of 336 1696 cmd.exe 46 PID 1696 wrote to memory of 336 1696 cmd.exe 46 PID 1696 wrote to memory of 336 1696 cmd.exe 46 PID 1696 wrote to memory of 336 1696 cmd.exe 46 PID 1696 wrote to memory of 1668 1696 cmd.exe 47 PID 1696 wrote to memory of 1668 1696 cmd.exe 47 PID 1696 wrote to memory of 1668 1696 cmd.exe 47 PID 1696 wrote to memory of 1668 1696 cmd.exe 47 PID 2792 wrote to memory of 2008 2792 Dctooux.exe 48 PID 2792 wrote to memory of 2008 2792 Dctooux.exe 48 PID 2792 wrote to memory of 2008 2792 Dctooux.exe 48 PID 2792 wrote to memory of 2008 2792 Dctooux.exe 48 PID 2792 wrote to memory of 2008 2792 Dctooux.exe 48 PID 2792 wrote to memory of 2008 2792 Dctooux.exe 48 PID 2792 wrote to memory of 2008 2792 Dctooux.exe 48 PID 2008 wrote to memory of 912 2008 rundll32.exe 49 PID 2008 wrote to memory of 912 2008 rundll32.exe 49 PID 2008 wrote to memory of 912 2008 rundll32.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1676
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main3⤵
- Loads dropped DLL
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"3⤵PID:3032
-
-
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1568
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main3⤵
- Loads dropped DLL
PID:1744
-
-
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'5⤵
- Creates scheduled task(s)
PID:612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:336
-
-
C:\Users\Admin\AppData\Roaming\appBroker.exe"C:\Users\Admin\AppData\Roaming\appBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵PID:912
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1748
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ba8466e6a98783b9cd358a187ae9e2c3
SHA1fcba75fd251d63927548533f6cd91efb787da9f4
SHA2564dc6be2875e9490a5083696960034d110b338e3a297aad6fa24d01112d2137c0
SHA51215578005c572757dffbc87d9f46699b19bec976a267206f24ebe80161690c0046170bcca1e3ef5a433b9fdbd545c3723243d1a9cea0d8f9cd804deb52eddecb9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD527cc178f86f92ba0f0b7d0c856e2f7fb
SHA1aef1c0aed6485f3a452ad54bb89d0d00427ce547
SHA256bac1a65ec671e8b9d638cb92af49a50dae0a616e3c878964d184049ce3b9bf76
SHA512420d37ee8879b97826b87f1b0a000bd5bfaf29c625013e984499422b2c5cc2a2c1a5c80ea8384ab9a78966bf4c417d97e447879c99be2bd72e4784f2447e6d8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51b094ac37678943d494ba78ea70d267f
SHA123a839bbc379f4982b40b6cd4c395eb833ab783c
SHA256eb32d62b3166b37c27135316d47349515adb3922770f109e9dc0a1e8956949f1
SHA5126c48ba445cf04c70833d39dd7127b259189b62f6fa33fe9b4ddbe9126754af4e4d4c62923d74cb053a4785295ba4cb00631bc6b9f9d84f13d439280de24ef58e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\76561199673019888[1].htm
Filesize33KB
MD51bcc95b1087b78e7278d381e624f2e1e
SHA144892824fcea1ff66e4803b822426abac3edd118
SHA256ed1f88d3c68ce12c34981e84852b518fb90c30b039a7eee57638e970476dac06
SHA512187f931f6f70e56b51b1d1815d640009a463d34f654e471ea53b8f0adc5166bcf4e6e4eac570569d3d82bb87d02c08c0859606b4262d0580b76a100fa222649f
-
Filesize
300KB
MD5b099ea0b80ecf49caa0d7003e0c95071
SHA1228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029
-
Filesize
243KB
MD537976db9d0e6f8bf9db5ae4b56006d9d
SHA1dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA2562570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47
-
Filesize
421KB
MD511dcd8e017b0e067e922cfb6507a8dde
SHA180c4e499c9666401a0f9099482c7fa9debe006d5
SHA2562809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA51252b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
Filesize
71KB
MD5b5c30c2e48b60f04ef5caffd4b786f6c
SHA17db19584bbb17ee7fba43f4798b4b9e781406c0c
SHA2569a45b114e16fe039d6e4f9ed3ec040dd4c3674744cc63bb8398ef63623272966
SHA512c674e6c22d6945e2f616fb7dcc8682b2a79bb12d531aa0abd98706fceb4ed3713166888d1ce069030cc2390b15de9d1923aac9ecc1ac7464e92037af3c837d06
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
152B
MD53b007eaf577c6c2c056f08bc120533c7
SHA15b8c707bab3cdc69f1d7078a11799958608d9e63
SHA256fdef3e1ebe873d7757b1f34a0d71a4687c35b9271672aa3e38a7d7e9cb4917f3
SHA512c28672c0c4929da44a991b706daccbe91199ab263750008e3f030f2193d6f522ba6868808d55ee0b3a35098b8ec4873df9d04de84a7d54efd27e89c8e8a97e36
-
Filesize
48KB
MD57fd8581748cdf137023ef96f1286ce0f
SHA1c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA2560b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282
-
Filesize
109KB
MD5ca684dc5ebed4381701a39f1cc3a0fb2
SHA18c4a375aa583bd1c705597a7f45fd18934276770
SHA256b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA5128b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510
-
Filesize
432KB
MD55b4af32e0442d4558a0274d634bd9159
SHA1f5791272526b24671b0130a7559fdf86b89016aa
SHA256496eea519c2b6efae4d7b2b08cc1e81ab9d03c152b61beb084967fb7e1c981b5
SHA512650f40a79fd99b0f5f302364f5914ab877c7f6d04f00cdf1d5ddb1bea9bb740f5ccdae87e7ff2b3acf09ed2ab3d673ee28eb0ff66ff101072534c113d5a93e82