079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04

Resubmissions

07-05-2024 08:45

240507-kn5nfsha6t 10

07-05-2024 08:45

07-05-2024 08:44

07-05-2024 08:44

07-05-2024 08:44

25-04-2024 13:01

Analysis

max time kernel
1782s
max time network
1799s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-05-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
Size

1.8MB
MD5

05e0bbeb4452eb1e90ba6e2c730519df
SHA1

a231b7fc6fd2ac37f29d0c20531dba861fc3afa9
SHA256

079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04
SHA512

3ba2dd278cf8e6b91c8b44839e37bb47f64262de2d42341711acfa0e790491690c965cac9d39de9c76105004dfa0dee34f391ff0d01097f8bf262d94300e78f1
SSDEEP

49152:/gceKimpc/OM9yeF/WRG+jFvmpQtySk5kf:/gpKBp6O8yeFIG+jVaH

Score

10^/10

discovery persistence phishing upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ingecan.com
Port:
21
Username:
[email protected]
Password:
comercial

Extracted

Credentials

Protocol: ftp
Host:
ftp.ingecan.com
Port:
21
Username:
inco56
Password:
comercial

Extracted

Credentials

Protocol: ftp
Host:
ftp.holonium.com
Port:
21
Username:
[email protected]
Password:
jonathan17

Extracted

Credentials

Protocol: ftp
Host:
ftp.ingecan.com
Port:
21
Username:
admin
Password:
comercial

Extracted

Credentials

Protocol: ftp
Host:
ftp.holonium.com
Port:
21
Username:
postmaster
Password:
jonathan17

Extracted

Credentials

Protocol: ftp
Host:
ftp.ingecan.com
Port:
21
Username:
ingecan
Password:
comercial

Extracted

Credentials

Protocol: ftp
Host:
ftp.holonium.com
Port:
21
Username:
admin
Password:
jonathan17

Extracted

Credentials

Protocol: ftp
Host:
ftp.holonium.com
Port:
21
Username:
holonium
Password:
jonathan17

Extracted

Credentials

Protocol: ftp
Host:
truechem.net
Port:
21
Username:
[email protected]
Password:
,"317537"

Extracted

Credentials

Protocol: ftp
Host:
truechem.net
Port:
21
Username:
lsherry
Password:
,"317537"

Extracted

Credentials

Protocol: ftp
Host:
truechem.net
Port:
21
Username:
admin
Password:
,"317537"

Extracted

Credentials

Protocol: ftp
Host:
truechem.net
Port:
21
Username:
truechem
Password:
,"317537"

Extracted

Credentials

Protocol: ftp
Host:
ftp.truechem.net
Port:
21
Username:
[email protected]
Password:
,"317537"

Extracted

Credentials

Protocol: ftp
Host:
ftp.truechem.net
Port:
21
Username:
lsherry
Password:
,"317537"

Extracted

Credentials

Protocol: ftp
Host:
ftp.truechem.net
Port:
21
Username:
admin
Password:
,"317537"

Extracted

Credentials

Protocol: ftp
Host:
ftp.truechem.net
Port:
21
Username:
truechem
Password:
,"317537"

Extracted

Credentials

Protocol: ftp
Host:
ftp.emullins.com
Port:
21
Username:
[email protected]
Password:
ladyqueen98

Extracted

Credentials

Protocol: ftp
Host:
ftp.emullins.com
Port:
21
Username:
no-reply
Password:
ladyqueen98

Extracted

Credentials

Protocol: ftp
Host:
ftp.emullins.com
Port:
21
Username:
admin
Password:
ladyqueen98

Extracted

Credentials

Protocol: ftp
Host:
ftp.emullins.com
Port:
21
Username:
emullins
Password:
ladyqueen98

Extracted

Credentials

Protocol: ftp
Host:
whippedcreem.com
Port:
21
Username:
[email protected]
Password:
74farost8

Extracted

Credentials

Protocol: ftp
Host:
mail.whippedcreem.com
Port:
21
Username:
admin
Password:
74farost8

Extracted

Credentials

Protocol: ftp
Host:
mail.whippedcreem.com
Port:
21
Username:
whippedcreem
Password:
74farost8

Extracted

Credentials

Protocol: ftp
Host:
ftp.printpower.eu
Port:
21
Username:
[email protected]

Extracted

Credentials

Protocol: ftp
Host:
ftp.printpower.eu
Port:
21
Username:
frunk.leerkotte

Extracted

Credentials

Protocol: ftp
Host:
ftp.printpower.eu
Port:
21
Username:
admin

Extracted

Credentials

Protocol: ftp
Host:
ftp.printpower.eu
Port:
21
Username:
printpower

Extracted

Credentials

Protocol: ftp
Host:
chrisandanne.co.uk
Port:
21
Username:
[email protected]
Password:
teovat640

Extracted

Credentials

Protocol: ftp
Host:
chrisandanne.co.uk
Port:
21
Username:
office
Password:
teovat640

Extracted

Credentials

Protocol: ftp
Host:
chrisandanne.co.uk
Port:
21
Username:
admin
Password:
teovat640

Extracted

Credentials

Protocol: ftp
Host:
chrisandanne.co.uk
Port:
21
Username:
chrisandanne
Password:
teovat640

Extracted

Credentials

Protocol: ftp
Host:
synetronic.com
Port:
21
Username:
[email protected]
Password:
fabrizio.nicoletti

Extracted

Credentials

Protocol: ftp
Host:
synetronic.com
Port:
21
Username:
n3m1n0123
Password:
fabrizio.nicoletti

Extracted

Credentials

Protocol: ftp
Host:
synetronic.com
Port:
21
Username:
admin
Password:
fabrizio.nicoletti

Extracted

Credentials

Protocol: ftp
Host:
synetronic.com
Port:
21
Username:
synetronic
Password:
fabrizio.nicoletti

Extracted

Credentials

Protocol: ftp
Host:
ftp.synetronic.com
Port:
21
Username:
[email protected]
Password:
fabrizio.nicoletti

Extracted

Credentials

Protocol: ftp
Host:
ftp.synetronic.com
Port:
21
Username:
n3m1n0123
Password:
fabrizio.nicoletti

Extracted

Credentials

Protocol: ftp
Host:
ftp.synetronic.com
Port:
21
Username:
admin
Password:
fabrizio.nicoletti

Extracted

Credentials

Protocol: ftp
Host:
ftp.synetronic.com
Port:
21
Username:
synetronic
Password:
fabrizio.nicoletti

Extracted

Credentials

Protocol: ftp
Host:
ementhal.com
Port:
21
Username:
[email protected]
Password:
ementhal

Extracted

Credentials

Protocol: ftp
Host:
thatriplathraat.20m.com
Port:
21
Username:
[email protected]
Password:
Mtgcagant258

Extracted

Credentials

Protocol: ftp
Host:
thatriplathraat.20m.com
Port:
21
Username:
mtgcagant258
Password:
Mtgcagant258

Extracted

Credentials

Protocol: ftp
Host:
ssh.thatriplathraat.20m.com
Port:
21
Username:
admin
Password:
Mtgcagant258

Extracted

Credentials

Protocol: ftp
Host:
oxmust.co.uk
Port:
21
Username:
[email protected]
Password:
melmouse

Extracted

Credentials

Protocol: ftp
Host:
ssh.thatriplathraat.20m.com
Port:
21
Username:
thatriplathraat
Password:
Mtgcagant258

Extracted

Credentials

Protocol: ftp
Host:
oxmust.co.uk
Port:
21
Username:
melmison
Password:
melmouse

Extracted

Credentials

Protocol: ftp
Host:
oxmust.co.uk
Port:
21
Username:
admin
Password:
melmouse

Extracted

Credentials

Protocol: ftp
Host:
oxmust.co.uk
Port:
21
Username:
oxmust
Password:
melmouse

Extracted

Credentials

Protocol: ftp
Host:
ftp.thatriplathraat.20m.com
Port:
21
Username:
[email protected]
Password:
Mtgcagant258

Extracted

Credentials

Protocol: ftp
Host:
ftp.thatriplathraat.20m.com
Port:
21
Username:
mtgcagant258
Password:
Mtgcagant258

Extracted

Credentials

Protocol: ftp
Host:
ftp.thatriplathraat.20m.com
Port:
21
Username:
admin
Password:
Mtgcagant258

Extracted

Credentials

Protocol: ftp
Host:
pop3.thatriplathraat.20m.com
Port:
21
Username:
thatriplathraat
Password:
Mtgcagant258

Extracted

Credentials

Protocol: ftp
Host:
ftp.oxmust.co.uk
Port:
21
Username:
[email protected]
Password:
melmouse

Extracted

Credentials

Protocol: ftp
Host:
ftp.oxmust.co.uk
Port:
21
Username:
melmison
Password:
melmouse

Extracted

Credentials

Protocol: ftp
Host:
ftp.oxmust.co.uk
Port:
21
Username:
admin
Password:
melmouse

Extracted

Credentials

Protocol: ftp
Host:
ftp.oxmust.co.uk
Port:
21
Username:
oxmust
Password:
melmouse

Extracted

Credentials

Protocol: ftp
Host:
ftp.embarkproductions.com
Port:
21
Username:
[email protected]
Password:
chicago70

Extracted

Credentials

Protocol: ftp
Host:
ftp.embarkproductions.com
Port:
21
Username:
jason
Password:
chicago70

Extracted

Credentials

Protocol: ftp
Host:
ftp.embarkproductions.com
Port:
21
Username:
admin
Password:
chicago70

Extracted

Credentials

Protocol: ftp
Host:
ftp.embarkproductions.com
Port:
21
Username:
embarkproductions
Password:
chicago70

Extracted

Credentials

Protocol: ftp
Host:
mail.visionfundzambia.org
Port:
21
Username:
[email protected]
Password:
martin1234

Extracted

Credentials

Protocol: ftp
Host:
mail.visionfundzambia.org
Port:
21
Username:
admin
Password:
martin1234

Extracted

Credentials

Protocol: ftp
Host:
mail.visionfundzambia.org
Port:
21
Username:
visionfundzambia
Password:
martin1234

Extracted

Credentials

Protocol: ftp
Host:
ftp.ulrich-thies.de
Port:
21
Username:
[email protected]
Password:
gofffaz

Extracted

Credentials

Protocol: ftp
Host:
ftp.ulrich-thies.de
Port:
21
Username:
werbung
Password:
gofffaz

Extracted

Credentials

Protocol: ftp
Host:
ftp.ulrich-thies.de
Port:
21
Username:
admin
Password:
gofffaz

Extracted

Credentials

Protocol: ftp
Host:
ftp.ulrich-thies.de
Port:
21
Username:
ulrich-thies
Password:
gofffaz

Extracted

Credentials

Protocol: ftp
Host:
redpoint.kz
Port:
21
Username:
[email protected]
Password:
fructul212

Extracted

Credentials

Protocol: ftp
Host:
redpoint.kz
Port:
21
Username:
lurissu
Password:
fructul212

Extracted

Credentials

Protocol: ftp
Host:
redpoint.kz
Port:
21
Username:
admin
Password:
fructul212

Extracted

Credentials

Protocol: ftp
Host:
imschweiler-net.de
Port:
21
Username:
[email protected]
Password:
dilapoge

Extracted

Credentials

Protocol: ftp
Host:
imschweiler-net.de
Port:
21
Username:
admin
Password:
dilapoge

Extracted

Credentials

Protocol: ftp
Host:
imschweiler-net.de
Port:
21
Username:
imschweiler-net
Password:
dilapoge

Extracted

Credentials

Protocol: ftp
Host:
ftp.imschweiler-net.de
Port:
21
Username:
[email protected]
Password:
dilapoge

Extracted

Credentials

Protocol: ftp
Host:
yarally.nl
Port:
21
Username:
[email protected]
Password:
Yarally123!

Extracted

Credentials

Protocol: ftp
Host:
ftp.imschweiler-net.de
Port:
21
Username:
admin
Password:
dilapoge

Extracted

Credentials

Protocol: ftp
Host:
yarally.nl
Port:
21
Username:
webmaster
Password:
Yarally123!

Extracted

Credentials

Protocol: ftp
Host:
yarally.nl
Port:
21
Username:
admin
Password:
Yarally123!

Extracted

Credentials

Protocol: ftp
Host:
yarally.nl
Port:
21
Username:
yarally
Password:
Yarally123!

Extracted

Credentials

Protocol: ftp
Host:
ftp.yarally.nl
Port:
21
Username:
[email protected]
Password:
Yarally123!

Extracted

Credentials

Protocol: ftp
Host:
ftp.yarally.nl
Port:
21
Username:
webmaster
Password:
Yarally123!

Extracted

Credentials

Protocol: ftp
Host:
ftp.yarally.nl
Port:
21
Username:
admin
Password:
Yarally123!

Extracted

Credentials

Protocol: ftp
Host:
ftp.yarally.nl
Port:
21
Username:
yarally
Password:
Yarally123!

Extracted

Credentials

Protocol: ftp
Host:
styleloft.co.kr
Port:
21
Username:
[email protected]
Password:
jihyun_park

Extracted

Credentials

Protocol: ftp
Host:
styleloft.co.kr
Port:
21
Username:
ji5309
Password:
jihyun_park

Extracted

Credentials

Protocol: ftp
Host:
styleloft.co.kr
Port:
21
Username:
admin
Password:
jihyun_park

Extracted

Credentials

Protocol: ftp
Host:
styleloft.co.kr
Port:
21
Username:
styleloft
Password:
jihyun_park

Extracted

Credentials

Protocol: ftp
Host:
ftp.arathi.com
Port:
21
Username:
[email protected]
Password:
arathi1

Extracted

Credentials

Protocol: ftp
Host:
ftp.arathi.com
Port:
21
Username:
arathi
Password:
arathi1

Extracted

Credentials

Protocol: ftp
Host:
ftp.arathi.com
Port:
21
Username:
admin
Password:
arathi1

Extracted

Credentials

Protocol: ftp
Host:
illufoxdesign.com
Port:
21
Username:
[email protected]
Password:
sv589reYc

Extracted

Credentials

Protocol: ftp
Host:
illufoxdesign.com
Port:
21
Username:
grlyo
Password:
sv589reYc

Extracted

Credentials

Protocol: ftp
Host:
illufoxdesign.com
Port:
21
Username:
admin
Password:
sv589reYc

Extracted

Credentials

Protocol: ftp
Host:
illufoxdesign.com
Port:
21
Username:
illufoxdesign
Password:
sv589reYc

Extracted

Credentials

Protocol: ftp
Host:
ftp.develix.fr
Port:
21
Username:
[email protected]
Password:
doudoune1

Extracted

Credentials

Protocol: ftp
Host:
ftp.develix.fr
Port:
21
Username:
redzone03
Password:
doudoune1

Extracted

Credentials

Protocol: ftp
Host:
ftp.develix.fr
Port:
21
Username:
admin
Password:
doudoune1

Extracted

Credentials

Protocol: ftp
Host:
ftp.develix.fr
Port:
21
Username:
develix
Password:
doudoune1

Extracted

Credentials

Protocol: ftp
Host:
confectious.net
Port:
21
Username:
[email protected]
Password:
egoodman

Extracted

Credentials

Protocol: ftp
Host:
www.confectious.net
Port:
21
Username:
mo88ney
Password:
egoodman

Extracted

Credentials

Protocol: ftp
Host:
www.confectious.net
Port:
21
Username:
admin
Password:
egoodman

Extracted

Credentials

Protocol: ftp
Host:
www.confectious.net
Port:
21
Username:
confectious
Password:
egoodman

Extracted

Credentials

Protocol: ftp
Host:
lasaterandmartin.com
Port:
21
Username:
[email protected]
Password:
janet123

Extracted

Credentials

Protocol: ftp
Host:
www.lasaterandmartin.com
Port:
21
Username:
janet
Password:
janet123

Extracted

Credentials

Protocol: ftp
Host:
www.lasaterandmartin.com
Port:
21
Username:
admin
Password:
janet123

Extracted

Credentials

Protocol: ftp
Host:
www.lasaterandmartin.com
Port:
21
Username:
lasaterandmartin
Password:
janet123

Extracted

Credentials

Protocol: ftp
Host:
ftp.zwa-mev.de
Port:
21
Username:
[email protected]
Password:
|-/GuhqLUDmmU=-|-|--

Extracted

Credentials

Protocol: ftp
Host:
ftp.zwa-mev.de
Port:
21
Username:
m.schlicht
Password:
|-/GuhqLUDmmU=-|-|--

Extracted

Credentials

Protocol: ftp
Host:
ftp.zwa-mev.de
Port:
21
Username:
admin
Password:
|-/GuhqLUDmmU=-|-|--

Extracted

Credentials

Protocol: ftp
Host:
ftp.zwa-mev.de
Port:
21
Username:
zwa-mev
Password:
|-/GuhqLUDmmU=-|-|--

Extracted

Credentials

Protocol: ftp
Host:
sieben-kandern.de
Port:
21
Username:
[email protected]
Password:
Silvia_1968

Signatures

Contacts a large (2026) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1068-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-4-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-37-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-103-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-98-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-93-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-90-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-102-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/1068-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs

Web Service

T1102

Processes:

flow	ioc
83926	sites.google.com
83992	sites.google.com
4505	sites.google.com
64841	sites.google.com
64981	sites.google.com
65279	sites.google.com
66120	sites.google.com
65804	sites.google.com
83977	sites.google.com
84124	sites.google.com
65664	sites.google.com
9434	sites.google.com
10078	sites.google.com
65992	sites.google.com
84120	sites.google.com
7992	sites.google.com
64885	sites.google.com
65589	sites.google.com
4899	sites.google.com
83925	sites.google.com
84154	sites.google.com
183	sites.google.com
10756	sites.google.com
83960	sites.google.com
84194	sites.google.com
11221	sites.google.com
64888	sites.google.com
65143	sites.google.com
84031	sites.google.com
84034	sites.google.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe

description	pid	process	target process
PID 4924 set thread context of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe

Detected phishing page
phishing
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe

pid	process
1068	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
1068	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
1068	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
1068	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
1068	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
1068	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe

description	pid	process	target process
PID 4924 wrote to memory of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
PID 4924 wrote to memory of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
PID 4924 wrote to memory of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
PID 4924 wrote to memory of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
PID 4924 wrote to memory of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
PID 4924 wrote to memory of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
PID 4924 wrote to memory of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
PID 4924 wrote to memory of 1068	4924	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe	079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe

C:\Users\Admin\AppData\Local\Temp\079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
"C:\Users\Admin\AppData\Local\Temp\079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe
"C:\Users\Admin\AppData\Local\Temp\079d3ed502ea4bddba6eddae4b7b227dce3315db40ca10d26741abe23d81fd04.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
Filesize
2.4MB

MD5
dde78eff34a6e66b6ea6d178bc426549

SHA1
b253863b59f1502d06dfbcd3dd14313fe44c9e78

SHA256
a869e89870d10561112f15016a20789dae97004d52c3258ddc11e0ebbc91137e

SHA512
343452cd55b21a98f663e3cede0d29f77545f03c93cb0a3caa06160419991023226e03e957cda1cc3ef9bcfcf0dc7a103f875048971f9b6eb94133448e410141

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
Filesize
11.3MB

MD5
18afb20f44e11b529e5ff76ba47a502e

SHA1
28a783448083336369e3a021442098e64fa8b595

SHA256
17dc8372114473e9ce9f60cd1413453045c3c58b0c0968a52b7823bb535f098f

SHA512
82670c473c4cb179cd3830d93017e887ce8566ba23d1efbde456d6d6b033246df66f52e90ac1cae302af298b7bf0d467b83a427b8aa85ff3ca81246a557e35b2

Download Submit
memory/1068-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-4-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-37-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-103-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-98-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-93-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-90-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-102-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1068-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4924-1-0x00000000023C0000-0x0000000002583000-memory.dmp

Filesize
1.8MB

Download
memory/4924-2-0x0000000002590000-0x0000000002747000-memory.dmp

Filesize
1.7MB

Download