e01bf187051ab20ecf85a9cea1c4c9072fd05658e7a9109e9c080161d9ad2e57

General

Target

containerServerNet.exe
Size

1.8MB
MD5

890b5cd71949526257d1497549da82ef
SHA1

1054441b6b2ec4b87a9e749ba7f2df20d58baa54
SHA256

e01bf187051ab20ecf85a9cea1c4c9072fd05658e7a9109e9c080161d9ad2e57
SHA512

5f65d1802332ead2af69dab9dcffbb8d2b70638c7f78babc72e35007fce09e6472dacb38c7b309490ccbd8cf848d0e365a211571d57b4912e52a5802e2bb0143
SSDEEP

24576:/99RO+iS+lV3yh3+hCXPa+uI04j7xXKIOUm4JWCQlWlEKgplLTRkIREfdJ76h/jR:1MR8UC/XuIJIrt4JW7WlULlkI6L7C9

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

containerServerNet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\", \"C:\\Windows\\uk-UA\\dllhost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\", \"C:\\Windows\\uk-UA\\dllhost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\", \"C:\\Windows\\uk-UA\\dllhost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\containerServerNet.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\", \"C:\\Windows\\uk-UA\\dllhost.exe\""	containerServerNet.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2992	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2992	schtasks.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

containerServerNet.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	containerServerNet.exe

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

3440 dllhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3440	dllhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

containerServerNet.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\uk-UA\\dllhost.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\uk-UA\\dllhost.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerServerNet = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\containerServerNet.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerServerNet = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\containerServerNet.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	containerServerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\""	containerServerNet.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC1BD3B6607B1244D9A1FF5939AD55BC43.TMP	csc.exe
File created	\??\c:\Windows\System32\pb7nq5.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

containerServerNet.exe

description	ioc	process
File created	C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe	containerServerNet.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\5940a34987c991	containerServerNet.exe

Drops file in Windows directory 2 IoCs

Processes:

containerServerNet.exe

description ioc process

File created C:\Windows\uk-UA\dllhost.exe containerServerNet.exe
File created C:\Windows\uk-UA\5940a34987c991 containerServerNet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\uk-UA\dllhost.exe	containerServerNet.exe
File created	C:\Windows\uk-UA\5940a34987c991	containerServerNet.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4368	schtasks.exe
3784	schtasks.exe
4832	schtasks.exe
2392	schtasks.exe
2952	schtasks.exe
4692	schtasks.exe
688	schtasks.exe
1200	schtasks.exe
4504	schtasks.exe
4736	schtasks.exe
520	schtasks.exe
384	schtasks.exe
4812	schtasks.exe
2172	schtasks.exe
3560	schtasks.exe
4884	schtasks.exe
4376	schtasks.exe
896	schtasks.exe

Modifies registry class 1 IoCs

Processes:

containerServerNet.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings containerServerNet.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	containerServerNet.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

containerServerNet.exe

pid	process
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe
1216	containerServerNet.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

containerServerNet.exedllhost.exe

description pid process

Token: SeDebugPrivilege 1216 containerServerNet.exe
Token: SeDebugPrivilege 3440 dllhost.exe

description	pid	process
Token: SeDebugPrivilege	1216	containerServerNet.exe
Token: SeDebugPrivilege	3440	dllhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

containerServerNet.execsc.execmd.exe

description	pid	process	target process
PID 1216 wrote to memory of 4144	1216	containerServerNet.exe	csc.exe
PID 1216 wrote to memory of 4144	1216	containerServerNet.exe	csc.exe
PID 4144 wrote to memory of 2848	4144	csc.exe	cvtres.exe
PID 4144 wrote to memory of 2848	4144	csc.exe	cvtres.exe
PID 1216 wrote to memory of 2020	1216	containerServerNet.exe	cmd.exe
PID 1216 wrote to memory of 2020	1216	containerServerNet.exe	cmd.exe
PID 2020 wrote to memory of 2972	2020	cmd.exe	chcp.com
PID 2020 wrote to memory of 2972	2020	cmd.exe	chcp.com
PID 2020 wrote to memory of 1512	2020	cmd.exe	w32tm.exe
PID 2020 wrote to memory of 1512	2020	cmd.exe	w32tm.exe
PID 2020 wrote to memory of 3440	2020	cmd.exe	dllhost.exe
PID 2020 wrote to memory of 3440	2020	cmd.exe	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe
"C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amu4125i\amu4125i.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BE0.tmp" "c:\Windows\System32\CSC1BD3B6607B1244D9A1FF5939AD55BC43.TMP"
3⤵
PID:2848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9LGG0EQHLJ.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2972

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1512

C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe
"C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\uk-UA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerServerNetc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerServerNet" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerServerNetc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9LGG0EQHLJ.bat
Filesize
233B

MD5
8f474c92f7d5dead6a63f4cd72d07c98

SHA1
a42cc601fe832ff90b779c8a95e2fd0a17aa94a3

SHA256
f11ef3f21e67e3a6d4c42039d442be7db1365e92a36fecc8408279cb2e4ed25f

SHA512
d743df5a98ea87fe584c86db0342c45b18dd7cbe4ab1ef47238e4cb933dbd2836933dcfd09b52ccac38f597479e9e105fc1c2fdb694b14a5ae62d37cf5825e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3BE0.tmp
Filesize
1KB

MD5
84b6a4b7c58984a10b2398eec71c33b2

SHA1
46885f272abde146974d323f499a77440e0d2013

SHA256
65e33ea05c3644c5b0049bc9a8b53f52e3d19b42ade01c62ebac4664c3d7bca1

SHA512
b5b987b72313df3b9b919f1a469c300f1e45c9200d6352f3efd26748dc3f7355e1d64834bc62484294b576259b8a2714eac97162b3481a5c6a6f42bf005fc50a

Download Submit
C:\Users\Default\sppsvc.exe
Filesize
1.8MB

MD5
890b5cd71949526257d1497549da82ef

SHA1
1054441b6b2ec4b87a9e749ba7f2df20d58baa54

SHA256
e01bf187051ab20ecf85a9cea1c4c9072fd05658e7a9109e9c080161d9ad2e57

SHA512
5f65d1802332ead2af69dab9dcffbb8d2b70638c7f78babc72e35007fce09e6472dacb38c7b309490ccbd8cf848d0e365a211571d57b4912e52a5802e2bb0143

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amu4125i\amu4125i.0.cs
Filesize
364B

MD5
50dee94df58e1ffdb9a31b006ac12612

SHA1
b06867671732b20487e320dd5ead935fc510c6eb

SHA256
e640fbde58016f9a943646dfe881899477ebfd447ea0d679341786895f30daf6

SHA512
baf18f91670bac3a57a77a4679dec77eeda7a1f5dfc5b650be6bdd0c6b4bd47be324ac27c78681bfb0c99a653d940701c18aff8984e84880cf57f6ad7e6ea3d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amu4125i\amu4125i.cmdline
Filesize
235B

MD5
6ef0035e074c2d52cb76b3eb2e1b2933

SHA1
c1fd2f3f456d39e33c7fed53fefbcba6b6fd8a2e

SHA256
646245e2a42e3eb9f84828d0c9efc92f828aa3ec45508791e5cea25d9c97d17d

SHA512
d9dc8133ebbd9f0263331f38500a194085d1d0e7596b7e91e6297c96192995b829e92b069572008b19cdba354247673a3e2676e60ad56d2657d9978d3482d2d3

Download Submit
\??\c:\Windows\System32\CSC1BD3B6607B1244D9A1FF5939AD55BC43.TMP
Filesize
1KB

MD5
1698af2b79b4ffd499309c965169ae30

SHA1
e54beb6e91f1272ec2989800895d6e1d8a6332b4

SHA256
98b74452ccce9477030c647d3a662619a85f9160e1a2b35e7ad9c08021035d9e

SHA512
b52057d6526f676e61ab07f7c25d2ff4fe969e7462d037fdc757a62ac6e91ed55df485cc28c135799378c90f257aec1767b43e3bf328a0340c63e678d781a8f0

Download Submit
memory/1216-6-0x0000000003270000-0x000000000327E000-memory.dmp

Filesize
56KB

Download
memory/1216-7-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-10-0x000000001BD80000-0x000000001BD9C000-memory.dmp

Filesize
112KB

Download
memory/1216-11-0x000000001C020000-0x000000001C070000-memory.dmp

Filesize
320KB

Download
memory/1216-13-0x000000001BDA0000-0x000000001BDB8000-memory.dmp

Filesize
96KB

Download
memory/1216-15-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-16-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-27-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-28-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-8-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-1-0x00007FFF63EE3000-0x00007FFF63EE5000-memory.dmp

Filesize
8KB

Download
memory/1216-4-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-34-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-3-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-2-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download
memory/1216-0-0x0000000000E70000-0x0000000001042000-memory.dmp

Filesize
1.8MB

Download
memory/1216-48-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads