bf8a99c54e00ff38f115df8a3f0afa2e5080e67914966fb128bb6c5563c3284a

Analysis

max time kernel
12s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
Size

9.3MB
MD5

c4f47bd26e74cee55af2dc4f49e87f0e
SHA1

a03287de6d4b935cb19f78d4c820d3b3e0680114
SHA256

bf8a99c54e00ff38f115df8a3f0afa2e5080e67914966fb128bb6c5563c3284a
SHA512

e38ac9ae1bc8984469c82e0dc559951067559909e76f344ddb55b9394f4c62e4f5148104d2af4232346a3385811221c3be61ddf5f81179776b5dd67b0f7b8fde
SSDEEP

98304:I2WFke58etbgH67479hFti3Xo3JEdfkF4Chy8bX1nA1z:Uke58etbEZfti3XRdfkF4ChToz

Score

8^/10

execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3960	powershell.exe
4572	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
5	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1804	wmic.exe
5088	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
Token: SeIncreaseQuotaPrivilege	1804	wmic.exe
Token: SeSecurityPrivilege	1804	wmic.exe
Token: SeTakeOwnershipPrivilege	1804	wmic.exe
Token: SeLoadDriverPrivilege	1804	wmic.exe
Token: SeSystemProfilePrivilege	1804	wmic.exe
Token: SeSystemtimePrivilege	1804	wmic.exe
Token: SeProfSingleProcessPrivilege	1804	wmic.exe
Token: SeIncBasePriorityPrivilege	1804	wmic.exe
Token: SeCreatePagefilePrivilege	1804	wmic.exe
Token: SeBackupPrivilege	1804	wmic.exe
Token: SeRestorePrivilege	1804	wmic.exe
Token: SeShutdownPrivilege	1804	wmic.exe
Token: SeDebugPrivilege	1804	wmic.exe
Token: SeSystemEnvironmentPrivilege	1804	wmic.exe
Token: SeRemoteShutdownPrivilege	1804	wmic.exe
Token: SeUndockPrivilege	1804	wmic.exe
Token: SeManageVolumePrivilege	1804	wmic.exe
Token: 33	1804	wmic.exe
Token: 34	1804	wmic.exe
Token: 35	1804	wmic.exe
Token: 36	1804	wmic.exe
Token: SeIncreaseQuotaPrivilege	1804	wmic.exe
Token: SeSecurityPrivilege	1804	wmic.exe
Token: SeTakeOwnershipPrivilege	1804	wmic.exe
Token: SeLoadDriverPrivilege	1804	wmic.exe
Token: SeSystemProfilePrivilege	1804	wmic.exe
Token: SeSystemtimePrivilege	1804	wmic.exe
Token: SeProfSingleProcessPrivilege	1804	wmic.exe
Token: SeIncBasePriorityPrivilege	1804	wmic.exe
Token: SeCreatePagefilePrivilege	1804	wmic.exe
Token: SeBackupPrivilege	1804	wmic.exe
Token: SeRestorePrivilege	1804	wmic.exe
Token: SeShutdownPrivilege	1804	wmic.exe
Token: SeDebugPrivilege	1804	wmic.exe
Token: SeSystemEnvironmentPrivilege	1804	wmic.exe
Token: SeRemoteShutdownPrivilege	1804	wmic.exe
Token: SeUndockPrivilege	1804	wmic.exe
Token: SeManageVolumePrivilege	1804	wmic.exe
Token: 33	1804	wmic.exe
Token: 34	1804	wmic.exe
Token: 35	1804	wmic.exe
Token: 36	1804	wmic.exe
Token: SeIncreaseQuotaPrivilege	4192	wmic.exe
Token: SeSecurityPrivilege	4192	wmic.exe
Token: SeTakeOwnershipPrivilege	4192	wmic.exe
Token: SeLoadDriverPrivilege	4192	wmic.exe
Token: SeSystemProfilePrivilege	4192	wmic.exe
Token: SeSystemtimePrivilege	4192	wmic.exe
Token: SeProfSingleProcessPrivilege	4192	wmic.exe
Token: SeIncBasePriorityPrivilege	4192	wmic.exe
Token: SeCreatePagefilePrivilege	4192	wmic.exe
Token: SeBackupPrivilege	4192	wmic.exe
Token: SeRestorePrivilege	4192	wmic.exe
Token: SeShutdownPrivilege	4192	wmic.exe
Token: SeDebugPrivilege	4192	wmic.exe
Token: SeSystemEnvironmentPrivilege	4192	wmic.exe
Token: SeRemoteShutdownPrivilege	4192	wmic.exe
Token: SeUndockPrivilege	4192	wmic.exe
Token: SeManageVolumePrivilege	4192	wmic.exe
Token: 33	4192	wmic.exe
Token: 34	4192	wmic.exe
Token: 35	4192	wmic.exe
Token: 36	4192	wmic.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2160	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	84
PID 4848 wrote to memory of 2160	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	84
PID 4848 wrote to memory of 1804	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	86
PID 4848 wrote to memory of 1804	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	86
PID 4848 wrote to memory of 4192	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	89
PID 4848 wrote to memory of 4192	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	89
PID 4848 wrote to memory of 3960	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	91
PID 4848 wrote to memory of 3960	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	91
PID 4848 wrote to memory of 3728	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	93
PID 4848 wrote to memory of 3728	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	93
PID 4848 wrote to memory of 4196	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	95
PID 4848 wrote to memory of 4196	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	95
PID 4848 wrote to memory of 4360	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	97
PID 4848 wrote to memory of 4360	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	97
PID 4848 wrote to memory of 5088	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	99
PID 4848 wrote to memory of 5088	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	99
PID 4848 wrote to memory of 2084	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	101
PID 4848 wrote to memory of 2084	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	101
PID 4848 wrote to memory of 1392	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	103
PID 4848 wrote to memory of 1392	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	103
PID 4848 wrote to memory of 3916	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	105
PID 4848 wrote to memory of 3916	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	105
PID 4848 wrote to memory of 2868	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	107
PID 4848 wrote to memory of 2868	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	107
PID 4848 wrote to memory of 4572	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	109
PID 4848 wrote to memory of 4572	4848	2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe	109
PID 4572 wrote to memory of 1736	4572	powershell.exe	111
PID 4572 wrote to memory of 1736	4572	powershell.exe	111
PID 1736 wrote to memory of 3156	1736	csc.exe	112
PID 1736 wrote to memory of 3156	1736	csc.exe	112

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2160	attrib.exe
1392	attrib.exe
3916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe"
1⤵
- Drops file in Drivers directory
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:2160
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2024-05-03_c4f47bd26e74cee55af2dc4f49e87f0e_ngrbot_snatch.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3960
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:3728
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  PID:4360
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5088
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:2084
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:1392
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:3916
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvzqq3uc\bvzqq3uc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51D9.tmp" "c:\Users\Admin\AppData\Local\Temp\bvzqq3uc\CSC8CFC8DE3EBEF4D75A650332486FF40.TMP"
      4⤵
      PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\OobHbN1ZxY\Display (1).png

Filesize
432KB

MD5
aa03e77cd27828a4893b212e774a23c9

SHA1
b69bf2e53368ca9201fac841ecf2e7e74a95ef36

SHA256
dc941f49129ba2f4aa6fb445744273f16aed38d927f324def462fa2edf184953

SHA512
5f76acc9a2a1955586a897206a697e078ca75bc77ae26e4d5922183f8debe1980599cf013a89053564f31d9725ef8a33fa7afece213890c689426a516a0d827f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES51D9.tmp

Filesize
1KB

MD5
c9927f080a334e4913c8eb0256750716

SHA1
854ee3cf921a5c3f32e5ecd09404056cebd2c0d2

SHA256
9cddc9a2f144846a3a733eaa5d5075015cc633dea5358b8d6c35471cd17dd12c

SHA512
70437ddcdef8e45ab6317c87f7984f9e2383b6eb35013fc6e820ae4267fd5a6ef18701516769d101390416d36a6b2c1bd5afaf96b339fcbe15d09f8abc00d3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcyyqoaw.ajx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvzqq3uc\bvzqq3uc.dll

Filesize
4KB

MD5
83fb96d6234db9d7f23cc704d3656785

SHA1
4bdfa0bd618379eeb3d5e145c0fc68c3c279b2da

SHA256
62fcc7699f8fdb6fa2e10e07ea0c32a6c76a40f7cbb821becf942f038578149d

SHA512
39ec91fdd1a212e0e8bc45611fc51268965733f5b6d32652fdbd99a7ef2606a0d541231bf2d0bbf168a3c5a83dc0a6733ece3a6ca03c3be1021fe22e77d90220

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvzqq3uc\CSC8CFC8DE3EBEF4D75A650332486FF40.TMP

Filesize
652B

MD5
775d4dba3477dd408726d51b95343f95

SHA1
9be58eb78333f8a00f4f3af61ac1f29a1909cda3

SHA256
9c42a127ea3d395614c3d3e2c3dc2ab34385bbf049c6896cdfc38bac2ff13f71

SHA512
090e16e144a2d5f77aa1840cf82707f502cd9449e4c1173ef26dda62c4dd195c674de383a10e9521f62f1bd37b39d45cd7cb00a07f81eb6a8607ee7fd141c956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvzqq3uc\bvzqq3uc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvzqq3uc\bvzqq3uc.cmdline

Filesize
607B

MD5
12ff22f269ad6ae428074f417def0386

SHA1
81f75bab3c3b093e2d19865fef14a12d0664ec8d

SHA256
e09a4f0682e71d23135e85a974b33d6158141e3446e50649501859b82b0178d7

SHA512
9f736986e9c1a7a73cf38ad237a1cc5685a639baec268ff561dee1a5748405feca17b1f11b4f763cd30926fa2f38b6c39c531927a8fdc45103494cab21d5ca47

Download Submit
memory/3960-28-0x00007FFE3E3E0000-0x00007FFE3EEA1000-memory.dmp

Filesize
10.8MB

Download
memory/3960-2-0x00007FFE3E3E3000-0x00007FFE3E3E5000-memory.dmp

Filesize
8KB

Download
memory/3960-16-0x00007FFE3E3E0000-0x00007FFE3EEA1000-memory.dmp

Filesize
10.8MB

Download
memory/3960-13-0x00007FFE3E3E0000-0x00007FFE3EEA1000-memory.dmp

Filesize
10.8MB

Download
memory/3960-3-0x000001D66D8F0000-0x000001D66D912000-memory.dmp

Filesize
136KB

Download
memory/4572-87-0x0000013D19D90000-0x0000013D19D98000-memory.dmp

Filesize
32KB

Download