cinoshi | ec9ca9135a1052109a310cbf594ce26b2d52545c6f254d7d042ec61f09dfea90

General

Target

nitro generator.exe
Size

2.7MB
MD5

3373253f2f609bd2c3fb917e7d5f753a
SHA1

00571dc9f73635d355d3123a42ad860eee21de07
SHA256

751736b637f142637a3efa5a4c8ba281c949e5054656554931514e6f03642bfa
SHA512

39024cb5fac8ba4524571f4e193409726fc0779ba1c2c67e9fa33b19bf5fa54297ee2470d0f9ad4a0cfe87f7a466a54b212e34c5c34e195f80a91dd4e788c341
SSDEEP

24576:W5FcdZnozS74/KabrCEmxE3pD1IQybpgwmFpo28x8aonpoNSHL9TIP6vV5tygavO:cFcjH7Qp5nVbpjR3iGnh2lRcKJq7Pw+

Score

10^/10

cinoshi redline bot discovery infostealer persistence spyware stealer

Malware Config

Signatures

Cinoshi
Cinoshi stealer is part of Cinoshi project Malware-as-a-Service (MaaS) written in C#.
bot stealer cinoshi

Detect Cinoshi payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2540-0-0x0000000000400000-0x00000000006B5000-memory.dmp	family_cinoshi
C:\Users\Admin\AppData\Local\Temp\faintxakers-420787300007.exe	family_cinoshi
behavioral1/memory/2148-157-0x00000000003E0000-0x000000000044C000-memory.dmp	family_cinoshi

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

block.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2360-150-0x0000000000780000-0x00000000007A8000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

@flamelos_easy.exefaintxakers-420787300007.exeblock.exe

pid process

2360 @flamelos_easy.exe
2148 faintxakers-420787300007.exe
4028 block.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2360	@flamelos_easy.exe
2148	faintxakers-420787300007.exe
4028	block.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

block.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32Helper = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32Helper* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVidiaUpdate = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVidiaUpdate* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\root = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\root- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\root* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GoogleChrome- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_8991928E = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_8991928E- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MicrosoftEdgeAutoLaunch_8991928E = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MicrosoftEdgeAutoLaunch_8991928E- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\NVidiaUpdate = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\devenv = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\NVidiaUpdate- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVidiaUpdate- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\root* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MicrosoftEdgeAutoLaunch_8991928E* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\root = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\devenv- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_8991928E* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\devenv = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\root- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GoogleChrome = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32Helper* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GoogleChrome* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\devenv* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32Helper = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32Helper- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java = "\"explorer.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32Helper- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\NVidiaUpdate* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\devenv- = "\"cmd.exe\" /c \"@Start /HIGH \"\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\""	block.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\devenv* = "\"mshta.exe\" vbscript:Close(ExecuteGlobal(\"Call CreateObject(\"\"WScript.Shell\"\").Run(\"\"C:\\Users\\Admin\\AppData\\Local\\Temp\\block.exe\"\")\"))"	block.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3616 2148 WerFault.exe faintxakers-420787300007.exe

pid	pid_target	process	target process
3616	2148	WerFault.exe	faintxakers-420787300007.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

faintxakers-420787300007.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	faintxakers-420787300007.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	faintxakers-420787300007.exe

Modifies registry class 1 IoCs

Processes:

nitro generator.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nitro generator.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

faintxakers-420787300007.exe

pid process

2148 faintxakers-420787300007.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

faintxakers-420787300007.exeblock.exe

description pid process

Token: SeDebugPrivilege 2148 faintxakers-420787300007.exe
Token: SeDebugPrivilege 4028 block.exe

pid	process
2148	faintxakers-420787300007.exe

description	pid	process
Token: SeDebugPrivilege	2148	faintxakers-420787300007.exe
Token: SeDebugPrivilege	4028	block.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

nitro generator.exe

description	pid	process	target process
PID 2540 wrote to memory of 2360	2540	nitro generator.exe	@flamelos_easy.exe
PID 2540 wrote to memory of 2360	2540	nitro generator.exe	@flamelos_easy.exe
PID 2540 wrote to memory of 2360	2540	nitro generator.exe	@flamelos_easy.exe
PID 2540 wrote to memory of 2148	2540	nitro generator.exe	faintxakers-420787300007.exe
PID 2540 wrote to memory of 2148	2540	nitro generator.exe	faintxakers-420787300007.exe
PID 2540 wrote to memory of 2148	2540	nitro generator.exe	faintxakers-420787300007.exe
PID 2540 wrote to memory of 4028	2540	nitro generator.exe	block.exe
PID 2540 wrote to memory of 4028	2540	nitro generator.exe	block.exe

C:\Users\Admin\AppData\Local\Temp\nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\nitro generator.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\@flamelos_easy.exe
"C:\Users\Admin\AppData\Local\Temp\@flamelos_easy.exe"
2⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Local\Temp\faintxakers-420787300007.exe
"C:\Users\Admin\AppData\Local\Temp\faintxakers-420787300007.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2152
3⤵
- Program crash
PID:3616

C:\Users\Admin\AppData\Local\Temp\block.exe
"C:\Users\Admin\AppData\Local\Temp\block.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2148 -ip 2148
1⤵
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@flamelos_easy.exe
Filesize
1.1MB

MD5
f1f8fa9c28485654576df9f2fb41f312

SHA1
00c247511a5f4d59882eb7916345cac114f6d5fc

SHA256
25ee9ca48979044e60eeeafd466f106ab5ca4fa953a5df612a2f12700dce63d3

SHA512
adb2e1fe68586a4415f2596fd11d37a118c67ea2b77f28fde9f930dd98baca1d6bc87cee4b4a69bba481b20ad27da7eee529896199beb5507b9ff24c5ff156bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\block.exe
Filesize
327KB

MD5
c7223b193f5c3acfc1e6e7e901bd6578

SHA1
bf8a646bd4cb0ad03280a774f7ea71b7d2e07a88

SHA256
485717dfa45e3a548e7d8f7e4b9f38b4f8e8eba7b2c7f625134fe98e08e1c642

SHA512
9926a01b82a9f0a255f3a48241f73703731308b7b07a96c608cb2338dd391c89b4bc99b871d0869c8ca90f6f765ae8e7e6c14a407168d9c82c233dda092351aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\faintxakers-420787300007.exe
Filesize
410KB

MD5
97b36605db9e163c3963526f1711db41

SHA1
7b30f351e3bbbb651b37c6c78e4efce7e8f51604

SHA256
df6d3552b1c7b74794ca0a5606f0a3654048fbe6218c8cf45fa9d290a3650f88

SHA512
209022d75ca4c1af81df6425338edabb0daae35b200432f284901fd6f5295c3a47c7329d455c8a26354eaf9cb9716d02c4aa809c30c77cc260fe464cfbfd013d

Download Submit
memory/2148-168-0x0000000006290000-0x0000000006322000-memory.dmp

Filesize
584KB

Download
memory/2148-173-0x0000000006A10000-0x0000000006A76000-memory.dmp

Filesize
408KB

Download
memory/2148-149-0x000000007280E000-0x000000007280F000-memory.dmp

Filesize
4KB

Download
memory/2148-171-0x0000000006990000-0x0000000006A06000-memory.dmp

Filesize
472KB

Download
memory/2148-157-0x00000000003E0000-0x000000000044C000-memory.dmp

Filesize
432KB

Download
memory/2148-159-0x00000000026E0000-0x00000000026FA000-memory.dmp

Filesize
104KB

Download
memory/2148-170-0x0000000006600000-0x00000000067C2000-memory.dmp

Filesize
1.8MB

Download
memory/2148-169-0x0000000006210000-0x0000000006222000-memory.dmp

Filesize
72KB

Download
memory/2148-162-0x0000000005340000-0x00000000058E6000-memory.dmp

Filesize
5.6MB

Download
memory/2360-161-0x0000000072800000-0x0000000072FB1000-memory.dmp

Filesize
7.7MB

Download
memory/2360-164-0x0000000007680000-0x0000000007692000-memory.dmp

Filesize
72KB

Download
memory/2360-165-0x00000000076A0000-0x00000000077AA000-memory.dmp

Filesize
1.0MB

Download
memory/2360-166-0x00000000077B0000-0x00000000077EC000-memory.dmp

Filesize
240KB

Download
memory/2360-167-0x0000000007830000-0x000000000787C000-memory.dmp

Filesize
304KB

Download
memory/2360-163-0x0000000007020000-0x0000000007638000-memory.dmp

Filesize
6.1MB

Download
memory/2360-150-0x0000000000780000-0x00000000007A8000-memory.dmp

Filesize
160KB

Download
memory/2360-141-0x0000000000401000-0x00000000004F3000-memory.dmp

Filesize
968KB

Download
memory/2540-0-0x0000000000400000-0x00000000006B5000-memory.dmp

Filesize
2.7MB

Download
memory/4028-160-0x0000029F06130000-0x0000029F06188000-memory.dmp

Filesize
352KB

Download
memory/4028-172-0x0000029F23D40000-0x0000029F23D4A000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads