webmonitor | ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe
Size

789KB
MD5

8a53427e1c76b904ef0daacf7c8a6ec1
SHA1

92b2b17c7210a720e03aa0b7aada1dd4eefb48bb
SHA256

ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8
SHA512

d7d8871894114639891c0bfdcbb1ba1b008ab484bb70f825a355c0858d1615b15d801af6ee91304bc488fe5ac6ed3dcc6161b3bbd7f7589d25bff3e7c86a827d
SSDEEP

12288:tK65z6saNnviEP5R5LlM0uVLseXcCwjHxQWJm9Hjc3w/:tKsaNiWBwNseXcCUHOAm9H//

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Extracted

Family

webmonitor

barclaysb.wm01.to:443

Attributes

config_key
fYgCWawbOgdOjCoFIS3awApyXAxlbcZP
private_key
gbGrRRJty
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/916-45-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/916-44-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/916-78-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4692-84-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4692-97-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WkulBNTtuvNGRzupma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WkulBNTtuvNGRzupma5.exe

Executes dropped EXE 10 IoCs

Processes:

WkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exe

pid	process
2896	WkulBNTtuvNGRzupma5.exe
4976	WkulBNTtuvNGRzupma5.exe
3928	WkulBNTtuvNGRzupma5.exe
4604	WkulBNTtuvNGRzupma5.exe
1644	WkulBNTtuvNGRzupma5.exe
2660	WkulBNTtuvNGRzupma5.exe
3128	WkulBNTtuvNGRzupma5.exe
2872	WkulBNTtuvNGRzupma5.exe
4092	WkulBNTtuvNGRzupma5.exe
928	WkulBNTtuvNGRzupma5.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/916-42-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/916-43-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/916-45-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/916-44-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/916-78-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4692-84-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4692-97-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WkulBNTtuvNGRzupma5.exe8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exeWkulBNTtuvNGRzupma5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\chrome.exe"	WkulBNTtuvNGRzupma5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\chrome.exe"	WkulBNTtuvNGRzupma5.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

WkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exe

description	pid	process	target process
PID 2896 set thread context of 916	2896	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 4976 set thread context of 4692	4976	WkulBNTtuvNGRzupma5.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3764	3928	WerFault.exe	WkulBNTtuvNGRzupma5.exe
4496	4604	WerFault.exe	WkulBNTtuvNGRzupma5.exe
3684	1644	WerFault.exe	WkulBNTtuvNGRzupma5.exe
2248	2660	WerFault.exe	WkulBNTtuvNGRzupma5.exe
1772	3128	WerFault.exe	WkulBNTtuvNGRzupma5.exe
3996	2872	WerFault.exe	WkulBNTtuvNGRzupma5.exe
1900	4092	WerFault.exe	WkulBNTtuvNGRzupma5.exe
4676	928	WerFault.exe	WkulBNTtuvNGRzupma5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WkulBNTtuvNGRzupma5.exe

pid	process
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe
2896	WkulBNTtuvNGRzupma5.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

WkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exe

pid process

2896 WkulBNTtuvNGRzupma5.exe
4976 WkulBNTtuvNGRzupma5.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WkulBNTtuvNGRzupma5.exevbc.exeWkulBNTtuvNGRzupma5.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2896	WkulBNTtuvNGRzupma5.exe
Token: SeShutdownPrivilege	916	vbc.exe
Token: SeCreatePagefilePrivilege	916	vbc.exe
Token: SeDebugPrivilege	4976	WkulBNTtuvNGRzupma5.exe
Token: SeShutdownPrivilege	4692	vbc.exe
Token: SeCreatePagefilePrivilege	4692	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exeWkulBNTtuvNGRzupma5.execsc.execsc.execmd.exeWkulBNTtuvNGRzupma5.execsc.execsc.exevbc.execmd.exe

description	pid	process	target process
PID 684 wrote to memory of 2896	684	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe	WkulBNTtuvNGRzupma5.exe
PID 684 wrote to memory of 2896	684	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe	WkulBNTtuvNGRzupma5.exe
PID 684 wrote to memory of 2896	684	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe	WkulBNTtuvNGRzupma5.exe
PID 2896 wrote to memory of 2384	2896	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2896 wrote to memory of 2384	2896	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2896 wrote to memory of 2384	2896	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2384 wrote to memory of 4216	2384	csc.exe	cvtres.exe
PID 2384 wrote to memory of 4216	2384	csc.exe	cvtres.exe
PID 2384 wrote to memory of 4216	2384	csc.exe	cvtres.exe
PID 2896 wrote to memory of 2568	2896	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2896 wrote to memory of 2568	2896	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2896 wrote to memory of 2568	2896	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2568 wrote to memory of 4792	2568	csc.exe	cvtres.exe
PID 2568 wrote to memory of 4792	2568	csc.exe	cvtres.exe
PID 2568 wrote to memory of 4792	2568	csc.exe	cvtres.exe
PID 2896 wrote to memory of 916	2896	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2896 wrote to memory of 916	2896	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2896 wrote to memory of 916	2896	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2896 wrote to memory of 916	2896	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2896 wrote to memory of 4784	2896	WkulBNTtuvNGRzupma5.exe	cmd.exe
PID 2896 wrote to memory of 4784	2896	WkulBNTtuvNGRzupma5.exe	cmd.exe
PID 2896 wrote to memory of 4784	2896	WkulBNTtuvNGRzupma5.exe	cmd.exe
PID 4784 wrote to memory of 2676	4784	cmd.exe	choice.exe
PID 4784 wrote to memory of 2676	4784	cmd.exe	choice.exe
PID 4784 wrote to memory of 2676	4784	cmd.exe	choice.exe
PID 2896 wrote to memory of 4976	2896	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 2896 wrote to memory of 4976	2896	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 2896 wrote to memory of 4976	2896	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 4108	4976	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 4976 wrote to memory of 4108	4976	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 4976 wrote to memory of 4108	4976	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 4108 wrote to memory of 1048	4108	csc.exe	cvtres.exe
PID 4108 wrote to memory of 1048	4108	csc.exe	cvtres.exe
PID 4108 wrote to memory of 1048	4108	csc.exe	cvtres.exe
PID 4976 wrote to memory of 3324	4976	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 4976 wrote to memory of 3324	4976	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 4976 wrote to memory of 3324	4976	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 3324 wrote to memory of 3996	3324	csc.exe	cvtres.exe
PID 3324 wrote to memory of 3996	3324	csc.exe	cvtres.exe
PID 3324 wrote to memory of 3996	3324	csc.exe	cvtres.exe
PID 916 wrote to memory of 2904	916	vbc.exe	cmd.exe
PID 916 wrote to memory of 2904	916	vbc.exe	cmd.exe
PID 916 wrote to memory of 2904	916	vbc.exe	cmd.exe
PID 4976 wrote to memory of 4692	4976	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 4976 wrote to memory of 4692	4976	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 4976 wrote to memory of 4692	4976	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 4976 wrote to memory of 4692	4976	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 4976 wrote to memory of 3332	4976	WkulBNTtuvNGRzupma5.exe	cmd.exe
PID 4976 wrote to memory of 3332	4976	WkulBNTtuvNGRzupma5.exe	cmd.exe
PID 4976 wrote to memory of 3332	4976	WkulBNTtuvNGRzupma5.exe	cmd.exe
PID 3332 wrote to memory of 5080	3332	cmd.exe	choice.exe
PID 3332 wrote to memory of 5080	3332	cmd.exe	choice.exe
PID 3332 wrote to memory of 5080	3332	cmd.exe	choice.exe
PID 4976 wrote to memory of 3928	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 3928	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 3928	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 4604	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 4604	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 4604	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 1644	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 1644	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 1644	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 2660	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe
PID 4976 wrote to memory of 2660	4976	WkulBNTtuvNGRzupma5.exe	WkulBNTtuvNGRzupma5.exe

C:\Users\Admin\AppData\Local\Temp\8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5l0bgr1w\5l0bgr1w.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A19.tmp" "c:\Users\Admin\AppData\Local\Temp\5l0bgr1w\CSC66F755EB7E9345DFAD558C5F3A54AF7C.TMP"
4⤵
PID:4216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m4ffw5of\m4ffw5of.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B41.tmp" "c:\Users\Admin\AppData\Local\Temp\m4ffw5of\CSC999244FAF4E24861A6F4C8CC2536FF90.TMP"
4⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BE58FebXSlRKCZyq.bat" "
4⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\05kyngd3\05kyngd3.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7639.tmp" "c:\Users\Admin\AppData\Local\Temp\05kyngd3\CSCB72DD9A1CCD94932BFB81B5BF06F6023.TMP"
5⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4sxishdm\4sxishdm.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES787C.tmp" "c:\Users\Admin\AppData\Local\Temp\4sxishdm\CSC5FA2C65862C8459584D6D2E0316FA3D7.TMP"
5⤵
PID:3996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsB1PyhGTCQZZMWd.bat" "
5⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Executes dropped EXE
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 784
5⤵
- Program crash
PID:3764

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 768
5⤵
- Program crash
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 760
5⤵
- Program crash
PID:3684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Executes dropped EXE
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 760
5⤵
- Program crash
PID:2248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Executes dropped EXE
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 760
5⤵
- Program crash
PID:1772

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Executes dropped EXE
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 760
5⤵
- Program crash
PID:3996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Executes dropped EXE
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 760
5⤵
- Program crash
PID:1900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
4⤵
- Executes dropped EXE
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 760
5⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3928 -ip 3928
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4604 -ip 4604
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1644 -ip 1644
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2660 -ip 2660
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3128 -ip 3128
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2872 -ip 2872
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4092 -ip 4092
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 928 -ip 928
1⤵
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05kyngd3\05kyngd3.dll
Filesize
1.0MB

MD5
4323a3a1dc61a3732aefc40169a20443

SHA1
e7c645be72535525a43499a6f658a06b1308a712

SHA256
729826d09ca1f2eb69533a4fa727359c6962764747d8d7b38c2952622f9ca56b

SHA512
fefea750e09a5f8e5b44756273c273ab15af711dce223e3cece0c1f083fba29869f6c50bc5304ced3e20b198a3e52d7511f80b6c66972e5bd91e8b3f11b4ff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4sxishdm\4sxishdm.dll
Filesize
1.0MB

MD5
43853def2fad2d67238c7353d44f04cb

SHA1
699c6c2ba8ab1923557ac280c258d03379e81ad3

SHA256
c1ea8d80f7afb4d0617eb7efca256a0d6bebcb6f3c7004eb5c63abd5ead4d683

SHA512
984ea21e8fd5a58e9621a06c7ba473d25b2dd89acec8af6a5372a86a2a6eb0e3aebd7fe6ed96f25d7f478a911413af88c126c2be660c37c49282ceb005450986

Download Submit
C:\Users\Admin\AppData\Local\Temp\5l0bgr1w\5l0bgr1w.dll
Filesize
1.0MB

MD5
e7167850064dfa6f9918c512cfbfb152

SHA1
552184c0b7a6717eaea56c098ac3a2951fe63811

SHA256
1b5dbdb4eb7f52422892df43cd203441151137e9690f63e88e36f98032a91226

SHA512
32601c5f94acba54e41690909772780a57fd5c53121dc16717f5b099aa4e4845a1d773f58f3c9af823cbd71d80e1d17e00f06453ce8056ac54d890e73071d85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE58FebXSlRKCZyq.bat
Filesize
204B

MD5
b7fdb1dc4dc01af8ec491904b87b1d2a

SHA1
363b10020563ff029686c4b668a5ad39f0d99c56

SHA256
5cbb0d5bb68e16d87a569b1dc25fef903969c8034596d59f7a8ab1ce9f05d428

SHA512
260c7de8c45e9b47a8fd42ff2c71776041673602f6215797b2042fdd8a9426444b5a3b7c0bbe0c234cecea718b3b836ed10b750ebc0a8aa6d0ae9d038d6306e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5
Filesize
1.6MB

MD5
9336a58dd62553ad1025b0085c309f85

SHA1
3ef961f070b6c41cbb6ff7ec1c8dea0b241d7f5b

SHA256
f2b18a8847c5e37e3e35f2b3d5221483fa3e5402f8fad346359aef085bed91e0

SHA512
e55569e16251246a06a101caf469416297d9f809f5d376b7184101f86455190f9e3867644babe4189fb1a7587f1b75dd2a75de4b74eee52ee76cef50eb19ed82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
Filesize
303KB

MD5
2ffb347518b712206ec6440ab7d4b3d4

SHA1
a136aa36c1231de677813b38647dca63038c5aba

SHA256
f769198404ca96771b1b7d59c5a7de850ae1e0753c47ca87939609c4abdfeed3

SHA512
7285f77148b3bd6f260b29c94cfd07a9bd17d4929735e616af6d43ec3ad0364ef93b067c2071baf11e10c5e7445cb07c7d1c2ef6107d53bc6b07fdf979c29858

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A19.tmp
Filesize
1KB

MD5
d098ba39c8ba3623be79d3303688e750

SHA1
a2bad802c35c15a0d8b9f756030a0c915a7c82b5

SHA256
d5a5f733d80a8a44946e66dcf2e6f3da2802b9f6569e474bb638a8c598cf97c3

SHA512
ee6808885a6c25e8add42e1517db975207480bb4e07898ccbbc01d541c30378a6fce0cc05a9a0d9cec670a3a24dc2950df15873106dcdd5bbfc4cef6d9cbdb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B41.tmp
Filesize
1KB

MD5
84511c5612c3130e7d848b6222674020

SHA1
dd4d0ac6d113d4fe8728a6dd3ec02eec47c29aa2

SHA256
0d1e0b3eeac585b452e0fad7d6abe5626cfddc316207cedd093d8958138be843

SHA512
7e1fe9642fb15de5e712b50e07fff815d20ed56c70a47a79afc4bf6a22201acecf47d6813d18b1e930bf3446be569ea8cbcd7491e315c1d868b90817cac7a75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7639.tmp
Filesize
1KB

MD5
73bd9c2c7e030708e0c9aa935ae15ebe

SHA1
06efc33fddc868e76fe44671f5db12f1a6f12872

SHA256
22aa7b5011bd503477f50549c0c72f7bf70a3b95d6c39cdcaa473999f5d4b94c

SHA512
5ea0642d3bfe915d9e453be62645b84053f231b807b818116f243b340166f4cd55dfe30475b37191dbf6542cd898d71eb14b7713d2190046b86a437d0b018e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES787C.tmp
Filesize
1KB

MD5
de9347c7cd49b02f3640b3a3472c3056

SHA1
004b474a198922ebafbd10092663e28cfbff8533

SHA256
35338d3606de846406ec77c3e5aed724c670cac43b8a2809c6918e65d1430b8b

SHA512
25306e662e4ce9bdae58fc6cf90e15c7830c8b82e666bccf0e299b7eabeef6be5b47bc160aaa4b6bb5b93ac895d949429b95c71ee35379e2324f4d4d70c73a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\m4ffw5of\m4ffw5of.dll
Filesize
1.0MB

MD5
dfd7697d5ef03eec22edea176c9b5a28

SHA1
af88224e748226b38eb77866ab06867113c75abd

SHA256
3586fbc1752a3c0b5e3965612b90ee2212354937dbce2816a126d969342dc2f3

SHA512
e1c26e25257f0a8edbeab469f0bcc793d06c884dea752d550be9f0c74f4444a1d74efda2e90b7541ea8f0b6adc039b030c832f005a7bea9ca56eddf24e67992b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsB1PyhGTCQZZMWd.bat
Filesize
204B

MD5
1f1780565e9aaba256c07d44940db0bf

SHA1
a170614f1b3f47d8e8c7b8e16aa7a31967085864

SHA256
a0e39a3c5ab727d6d381a057dff79896fb6b37138eb011e5c6beb9624e2bb9be

SHA512
ec04b63120ea72cb5647bf262cb138f0d206630fecc997c305a6f508bf211b69a7ad9cb46971d6836a83e70214d99f29b6ebfb413da0bffa3d52734df6e6475d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\05kyngd3\05kyngd3.cmdline
Filesize
302B

MD5
51b4f678bfeff89927ffb3f4980118ee

SHA1
69b86b07206f42666c9dd73499265283d8ffe76e

SHA256
99732936f7eefb1f4bed2adae68683b2222c08e14c181cdfeaea3005b046c703

SHA512
2a4619f1896492812a3d173ef2853bfc74bf641c5bfb254b6177f0a8fc64659edc9811db36df04057b77eb46b7edaa8b809a1c5fc4b0af366d4b67bc1117a12c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\05kyngd3\CSCB72DD9A1CCD94932BFB81B5BF06F6023.TMP
Filesize
652B

MD5
a5015be4cea3a490db92a9f4afc91a3c

SHA1
9e9a494097f0943384e3e40950a226bdca5b7430

SHA256
3c3ba7b0ad130c023b46a97fd6c35c3f80d8bccc9eb2c6ab4537fb78a4dd476d

SHA512
8e106ef02b13bb11c47a8eb853d215a422dd2abcf4291ce658a8d493327570b3f3c94ae873c5f476b981f13711c954f041bdd92395b4a11f76285565d8196d00

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4sxishdm\4sxishdm.cmdline
Filesize
302B

MD5
95a44084d8ce96b6cf1686264d69afe6

SHA1
6a4056181edb87e1338e52437a152187f8fe45f9

SHA256
10e165d76394fc37004fad83f272d518fbc1e7d7f6af28a9776667527fb9cd8f

SHA512
8fe084122af4721110ff27c06a095e019cf12535907ab06443c46eeefe64e2cf84cfb1fafbc7d5e1a27d1b6fd1956fb1b3eb4339d6d2c99a237541ac12e5aac9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4sxishdm\CSC5FA2C65862C8459584D6D2E0316FA3D7.TMP
Filesize
652B

MD5
79f4c0e9b640ae5c3a025dafa63dcb27

SHA1
644735c1d787d5674bdfae9e267bc444dfc745ba

SHA256
40364b3c721473769fbe09bb4122101c4f33e5ff588ee49b84d709105420a1b0

SHA512
d5e0f7676bc6a57c050095aeea86dea30d09a6d77bd4eec80c8ab77887390d809419fda904c4ee9737c2549a20b178ef2c49cd32719b4ab328a5d8412cea160b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5l0bgr1w\5l0bgr1w.0.cs
Filesize
1.6MB

MD5
449528b591d6d481a74c0ee934b20741

SHA1
12e28d2cdbd508c44592b1bba6011dc1047aef0a

SHA256
174d2cd95d229c6eb3fcc395ec9de7a75a0b5333d2510fc461e1842068be7220

SHA512
361b3db905c106288488fd9bd4ef7588ec06f02e55f4f4b1ca4c757e1df630c18b2027f598a62a71273660916cbfc37685f43971abd84d90c03f7f986566af5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5l0bgr1w\5l0bgr1w.cmdline
Filesize
302B

MD5
23cec08974a14d59de7514a545100ee0

SHA1
b474f2418de04a3054365f7d18466d2dcfac00cf

SHA256
4c1dc5c74f64b0ac95ddef7181aa56b2f4b637ab9ffc66f24161d2075996fef3

SHA512
058ec4df7c2741ecf13eee004adf9e597d4423e213b3d84a20b1032a79bee6795378c49df0dbe4bb59ecb57783f52154d4c09498d6230eef78a9e629a5cd7650

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5l0bgr1w\CSC66F755EB7E9345DFAD558C5F3A54AF7C.TMP
Filesize
652B

MD5
9b5706269ee3a7f3c204f4db3da6307c

SHA1
4454e8c657a42190ff0d2be0ba601657eecacacc

SHA256
01a9553602191b609a0562795e4fd9bbac5bab02d7b0da7b9204fa2bf8c96c71

SHA512
d34b43839629010bed8e1ec048991eb540d32ed3ed1c0bd621d5fd386afb2f4e0e9f244e5faaf00ea1386765f025d4f800a9f0eab5e13a74a855679d87d08dc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m4ffw5of\CSC999244FAF4E24861A6F4C8CC2536FF90.TMP
Filesize
652B

MD5
a9f4712d3834be7e159db11da1064f0c

SHA1
dfef0991c46c6ef2b954b75e708b151b5cc9aa00

SHA256
d00d06ad99bd5ddee7f0cea8e3f8481247ec3c5784167068265ad57926b63e1f

SHA512
a2e14825efecb402efe20a3874191295a7c4784e49b8a38f308ae054d0309bffe954f2f21ab221c2c9b3871e1f986eab5c43a455da34f5ff4f1d7ee5c07198cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m4ffw5of\m4ffw5of.cmdline
Filesize
302B

MD5
ce711303dcd4d88a5bed57caf0481291

SHA1
2e3de6ce6b0a61094d04b13f795ddf5ce31a8031

SHA256
9d73cafe8b0653236acbeba71f674b2da8723ba6157c5ff75094e9900d975f8c

SHA512
29fa5e364aaf1a681c9e5635308eb70e75e72c85f31e721a914b75e02ce262d3ed2d4e189ed5814d2eacfbdac73d5fbf89cfc72dfd51abdcb5b3c63786bb8ead

Download Submit
memory/916-43-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/916-44-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/916-45-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/916-42-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/916-78-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2896-7-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/2896-39-0x0000000005670000-0x00000000056DA000-memory.dmp

Filesize
424KB

Download
memory/2896-37-0x0000000005850000-0x0000000005962000-memory.dmp

Filesize
1.1MB

Download
memory/2896-23-0x0000000005740000-0x0000000005852000-memory.dmp

Filesize
1.1MB

Download
memory/2896-13-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/2896-85-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/2896-8-0x0000000000D10000-0x0000000000D62000-memory.dmp

Filesize
328KB

Download
memory/2896-80-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/4692-84-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4692-97-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4976-73-0x0000000005290000-0x00000000053A2000-memory.dmp

Filesize
1.1MB

Download
memory/4976-59-0x0000000005160000-0x0000000005272000-memory.dmp

Filesize
1.1MB

Download