933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe
Size

2.6MB
MD5

abe9c81bec84f347431b8d3383801469
SHA1

59756954958fc98962cea7b4bdae4fb2e055387c
SHA256

933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f
SHA512

4d5d2d73549a838133acd7f3e6213b33f74a356d6102ae8a8f391f7bbf5759ed3d67779a29299138ed375ad65710a6e927e8e2e0d8a5943479badffaacf13b4d
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4eR:ObCjPKNqQEfsw43qtmVfq4e

Score

10^/10

collection discovery persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.me.com
Port:
587
Username:
[email protected]
Password:
RICHARD205lord

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1320-15-0x0000000000400000-0x000000000048E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1320-22-0x0000000000400000-0x000000000048E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with MEW 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3516-34-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW
behavioral2/memory/3516-33-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW
behavioral2/memory/3516-36-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4412-27-0x0000000000400000-0x0000000000491000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4412-29-0x0000000000400000-0x0000000000491000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

UPX dump on OEP (original entry point) 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1320-13-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral2/memory/1320-15-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral2/memory/1320-14-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral2/memory/1320-22-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral2/memory/4412-25-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral2/memory/4412-27-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral2/memory/4412-26-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral2/memory/4412-29-0x0000000000400000-0x0000000000491000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

jhdfkldfhndfkjdfnbfklfnf.exewinmgr119.exewinmgr119.exe

pid process

4236 jhdfkldfhndfkjdfnbfklfnf.exe
4120 winmgr119.exe
4376 winmgr119.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4120	winmgr119.exe
4376	winmgr119.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1320-13-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1320-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1320-14-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1320-22-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4412-25-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4412-27-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4412-26-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4412-29-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exejhdfkldfhndfkjdfnbfklfnf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 icanhazip.com
33 ipinfo.io

flow	ioc
31	icanhazip.com
33	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe	autoit_exe
C:\ProgramData\winmgr119.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

jhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exe

description	pid	process	target process
PID 4236 set thread context of 2324	4236	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 2324 set thread context of 1320	2324	RegAsm.exe	cvtres.exe
PID 2324 set thread context of 4412	2324	RegAsm.exe	cvtres.exe
PID 2324 set thread context of 3516	2324	RegAsm.exe	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
320	schtasks.exe
3564	schtasks.exe
4336	schtasks.exe
1948	schtasks.exe
764	schtasks.exe
3988	schtasks.exe
3084	schtasks.exe
4992	schtasks.exe
4428	schtasks.exe
5072	schtasks.exe
4604	schtasks.exe
3164	schtasks.exe
3164	schtasks.exe
4008	schtasks.exe
2632	schtasks.exe
1720	schtasks.exe
2788	schtasks.exe
624	schtasks.exe
1100	schtasks.exe
2444	schtasks.exe
1052	schtasks.exe
2080	schtasks.exe
5036	schtasks.exe
1048	schtasks.exe
4352	schtasks.exe
2528	schtasks.exe

NTFS ADS 4 IoCs

Processes:

933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exejhdfkldfhndfkjdfnbfklfnf.exewinmgr119.exewinmgr119.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe:Zone.Identifier:$DATA	933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe
File created	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exejhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exewinmgr119.exe

pid	process
2344	933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe
2344	933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
4120	winmgr119.exe
4120	winmgr119.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe
4236	jhdfkldfhndfkjdfnbfklfnf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.execvtres.execvtres.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	2324	RegAsm.exe
Token: SeDebugPrivilege	1320	cvtres.exe
Token: SeDebugPrivilege	4412	cvtres.exe
Token: SeDebugPrivilege	3516	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2324 RegAsm.exe

pid	process
2324	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exejhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exe

description	pid	process	target process
PID 2344 wrote to memory of 4236	2344	933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 2344 wrote to memory of 4236	2344	933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 2344 wrote to memory of 4236	2344	933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 4236 wrote to memory of 2324	4236	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 4236 wrote to memory of 2324	4236	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 4236 wrote to memory of 2324	4236	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 4236 wrote to memory of 2324	4236	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 4236 wrote to memory of 2324	4236	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 4236 wrote to memory of 1720	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1720	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1720	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 2324 wrote to memory of 1320	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 1320	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 1320	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 1320	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 1320	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 1320	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 1320	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 4412	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 4412	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 4412	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 4412	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 4412	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 4412	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 4412	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 3516	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 3516	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 3516	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 3516	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 3516	2324	RegAsm.exe	cvtres.exe
PID 2324 wrote to memory of 3516	2324	RegAsm.exe	cvtres.exe
PID 4236 wrote to memory of 4336	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 4336	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 4336	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1052	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1052	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1052	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 2788	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 2788	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 2788	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 2080	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 2080	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 2080	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 5036	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 5036	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 5036	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1100	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1100	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1100	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 5072	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 5072	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 5072	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 3164	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 3164	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 3164	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1048	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1048	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1048	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1948	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1948	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 1948	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 764	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 764	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4236 wrote to memory of 764	4236	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe
"C:\Users\Admin\AppData\Local\Temp\933f755e98fd621519f30126ba57a70fdc4fa1ee1bd8c8303b96a6a0c5597d8f.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
0
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB1AC.tmp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB44D.tmp"
4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB4CB.tmp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1720

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4336

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2788

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2080

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1100

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:5072

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3164

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1048

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1948

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:764

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:320

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2632

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3084

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3564

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3164

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2444

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4008

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4992

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4352

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:624

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4428

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4604

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3988

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2528

C:\ProgramData\winmgr119.exe
C:\ProgramData\winmgr119.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4120

C:\ProgramData\winmgr119.exe
C:\ProgramData\winmgr119.exe
1⤵
- Executes dropped EXE
- NTFS ADS
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
Filesize
2.6MB

MD5
29b85b778be65f83b5faa701d26381fe

SHA1
891fee8091dca1608a35ed4246e41fdf4b65333c

SHA256
1f7d155da5131362cbfc5d3e38090b369e9df6a00249f186572f55b15304bca3

SHA512
151896addc36cfb7ecc0782636aee00cda3d5c28fe2322671914dae07b41feebe5df0871cc025a7e308323ce5732f11fcec3d8eba78b3e01fff79a3c77584639

Download Submit
C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749
Filesize
8B

MD5
13df48c279209a1805c6658f750b3672

SHA1
7fe95bb5c04de2b4913067e3c3b61627378a241f

SHA256
73b2a0f0b690ec45cfadef97c7439fed2ea4d9dce1ff40b8e2c5194599a5d794

SHA512
5d8d856ac5d46f9350e5684dcc2b6a81a7fdbca20697a93dfb7371e70a483ce8032b8c52adb9784f82de4332d94fc67690db09e41882a108e27958510dd1ee35

Download Submit
C:\ProgramData\winmgr119.exe
Filesize
2.6MB

MD5
a71243be9553054fac5f398665a4c979

SHA1
12e3e8f68478c18ec4d9c90b9b2462c3ec2ca6c1

SHA256
eb3343562fa9852ba42271440cab52034d186f259893f571f2716171ed78348c

SHA512
1bd2f3e40cce3bea5523848a42efc689d1714b80c60889a596c5beb48ebb1f8a3cce2a7df4978c214cd05d2afdf623ada09203718f0211a0571438c194dfec6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1AC.tmp
Filesize
1KB

MD5
b0cc2e6f2d8036c9b5fef218736fa9c9

SHA1
64fd3017625979c95ba09d7cbea201010a82f73f

SHA256
997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50

SHA512
a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB44D.tmp
Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB4CB.tmp
Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
memory/1320-13-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1320-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1320-14-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1320-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2324-40-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2324-9-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2324-8-0x0000000001300000-0x00000000013CA000-memory.dmp

Filesize
808KB

Download
memory/3516-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-34-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-29-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4412-26-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4412-27-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4412-25-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download