0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe
Size

2.6MB
MD5

d347bb304bb6dded0201e1f47ca11df5
SHA1

26edc873d63a601b319fd20cd314f83b5b3a9ed2
SHA256

0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a
SHA512

33772061380cf719616bc422b153567e7ecae449a49d15beabf4139b4437a9c3ea89172bbb8049b97783fb122dadb2b455436c91268b34e4e5b2fa37706ed997
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4e0:ObCjPKNqQEfsw43qtmVfq4/

Score

10^/10

collection discovery persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.me.com
Port:
587
Username:
[email protected]
Password:
RICHARD205lord

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral2/memory/4676-17-0x0000000000400000-0x000000000048E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4676-24-0x0000000000400000-0x000000000048E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with MEW 3 IoCs

resource	yara_rule
behavioral2/memory/1084-35-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW
behavioral2/memory/1084-38-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW
behavioral2/memory/1084-36-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral2/memory/3252-29-0x0000000000400000-0x0000000000491000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3252-31-0x0000000000400000-0x0000000000491000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral2/memory/4676-15-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral2/memory/4676-16-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral2/memory/4676-17-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral2/memory/4676-24-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral2/memory/3252-27-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral2/memory/3252-29-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral2/memory/3252-31-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral2/memory/3252-28-0x0000000000400000-0x0000000000491000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
2748	jhdfkldfhndfkjdfnbfklfnf.exe
4268	winmgr119.exe
4332	winmgr119.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4676-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4676-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4676-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4676-24-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3252-27-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3252-29-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3252-31-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3252-28-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	icanhazip.com
39	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00110000000233cc-3.dat	autoit_exe
behavioral2/files/0x00070000000233cd-42.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 4868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	93
PID 4868 set thread context of 4676	4868	RegAsm.exe	97
PID 4868 set thread context of 3252	4868	RegAsm.exe	99
PID 4868 set thread context of 1084	4868	RegAsm.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4792	schtasks.exe
3636	schtasks.exe
316	schtasks.exe
2604	schtasks.exe
4412	schtasks.exe
3892	schtasks.exe
448	schtasks.exe
3956	schtasks.exe
1988	schtasks.exe
2448	schtasks.exe
4968	schtasks.exe
1424	schtasks.exe
2868	schtasks.exe
5060	schtasks.exe
1380	schtasks.exe
1560	schtasks.exe
2940	schtasks.exe
3396	schtasks.exe
220	schtasks.exe
4516	schtasks.exe
868	schtasks.exe
2348	schtasks.exe
4696	schtasks.exe
2580	schtasks.exe
2192	schtasks.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe
File created	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File created	C:\Users\Admin\AppData\Local\Temp\0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe:Zone.Identifier:$DATA	0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe
4068	0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4268	winmgr119.exe
4268	winmgr119.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
2748	jhdfkldfhndfkjdfnbfklfnf.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe
4868	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	RegAsm.exe
Token: SeDebugPrivilege	4676	cvtres.exe
Token: SeDebugPrivilege	3252	cvtres.exe
Token: SeDebugPrivilege	1084	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4868	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2748	4068	0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe	92
PID 4068 wrote to memory of 2748	4068	0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe	92
PID 4068 wrote to memory of 2748	4068	0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe	92
PID 2748 wrote to memory of 4868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	93
PID 2748 wrote to memory of 4868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	93
PID 2748 wrote to memory of 4868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	93
PID 2748 wrote to memory of 4868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	93
PID 2748 wrote to memory of 4868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	93
PID 2748 wrote to memory of 4412	2748	jhdfkldfhndfkjdfnbfklfnf.exe	94
PID 2748 wrote to memory of 4412	2748	jhdfkldfhndfkjdfnbfklfnf.exe	94
PID 2748 wrote to memory of 4412	2748	jhdfkldfhndfkjdfnbfklfnf.exe	94
PID 4868 wrote to memory of 4676	4868	RegAsm.exe	97
PID 4868 wrote to memory of 4676	4868	RegAsm.exe	97
PID 4868 wrote to memory of 4676	4868	RegAsm.exe	97
PID 4868 wrote to memory of 4676	4868	RegAsm.exe	97
PID 4868 wrote to memory of 4676	4868	RegAsm.exe	97
PID 4868 wrote to memory of 4676	4868	RegAsm.exe	97
PID 4868 wrote to memory of 4676	4868	RegAsm.exe	97
PID 4868 wrote to memory of 3252	4868	RegAsm.exe	99
PID 4868 wrote to memory of 3252	4868	RegAsm.exe	99
PID 4868 wrote to memory of 3252	4868	RegAsm.exe	99
PID 4868 wrote to memory of 3252	4868	RegAsm.exe	99
PID 4868 wrote to memory of 3252	4868	RegAsm.exe	99
PID 4868 wrote to memory of 3252	4868	RegAsm.exe	99
PID 4868 wrote to memory of 3252	4868	RegAsm.exe	99
PID 4868 wrote to memory of 1084	4868	RegAsm.exe	101
PID 4868 wrote to memory of 1084	4868	RegAsm.exe	101
PID 4868 wrote to memory of 1084	4868	RegAsm.exe	101
PID 4868 wrote to memory of 1084	4868	RegAsm.exe	101
PID 4868 wrote to memory of 1084	4868	RegAsm.exe	101
PID 4868 wrote to memory of 1084	4868	RegAsm.exe	101
PID 2748 wrote to memory of 448	2748	jhdfkldfhndfkjdfnbfklfnf.exe	103
PID 2748 wrote to memory of 448	2748	jhdfkldfhndfkjdfnbfklfnf.exe	103
PID 2748 wrote to memory of 448	2748	jhdfkldfhndfkjdfnbfklfnf.exe	103
PID 2748 wrote to memory of 4696	2748	jhdfkldfhndfkjdfnbfklfnf.exe	106
PID 2748 wrote to memory of 4696	2748	jhdfkldfhndfkjdfnbfklfnf.exe	106
PID 2748 wrote to memory of 4696	2748	jhdfkldfhndfkjdfnbfklfnf.exe	106
PID 2748 wrote to memory of 868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	108
PID 2748 wrote to memory of 868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	108
PID 2748 wrote to memory of 868	2748	jhdfkldfhndfkjdfnbfklfnf.exe	108
PID 2748 wrote to memory of 3396	2748	jhdfkldfhndfkjdfnbfklfnf.exe	111
PID 2748 wrote to memory of 3396	2748	jhdfkldfhndfkjdfnbfklfnf.exe	111
PID 2748 wrote to memory of 3396	2748	jhdfkldfhndfkjdfnbfklfnf.exe	111
PID 2748 wrote to memory of 4792	2748	jhdfkldfhndfkjdfnbfklfnf.exe	113
PID 2748 wrote to memory of 4792	2748	jhdfkldfhndfkjdfnbfklfnf.exe	113
PID 2748 wrote to memory of 4792	2748	jhdfkldfhndfkjdfnbfklfnf.exe	113
PID 2748 wrote to memory of 220	2748	jhdfkldfhndfkjdfnbfklfnf.exe	115
PID 2748 wrote to memory of 220	2748	jhdfkldfhndfkjdfnbfklfnf.exe	115
PID 2748 wrote to memory of 220	2748	jhdfkldfhndfkjdfnbfklfnf.exe	115
PID 2748 wrote to memory of 2348	2748	jhdfkldfhndfkjdfnbfklfnf.exe	117
PID 2748 wrote to memory of 2348	2748	jhdfkldfhndfkjdfnbfklfnf.exe	117
PID 2748 wrote to memory of 2348	2748	jhdfkldfhndfkjdfnbfklfnf.exe	117
PID 2748 wrote to memory of 3956	2748	jhdfkldfhndfkjdfnbfklfnf.exe	120
PID 2748 wrote to memory of 3956	2748	jhdfkldfhndfkjdfnbfklfnf.exe	120
PID 2748 wrote to memory of 3956	2748	jhdfkldfhndfkjdfnbfklfnf.exe	120
PID 2748 wrote to memory of 1988	2748	jhdfkldfhndfkjdfnbfklfnf.exe	122
PID 2748 wrote to memory of 1988	2748	jhdfkldfhndfkjdfnbfklfnf.exe	122
PID 2748 wrote to memory of 1988	2748	jhdfkldfhndfkjdfnbfklfnf.exe	122
PID 2748 wrote to memory of 4516	2748	jhdfkldfhndfkjdfnbfklfnf.exe	124
PID 2748 wrote to memory of 4516	2748	jhdfkldfhndfkjdfnbfklfnf.exe	124
PID 2748 wrote to memory of 4516	2748	jhdfkldfhndfkjdfnbfklfnf.exe	124
PID 2748 wrote to memory of 3636	2748	jhdfkldfhndfkjdfnbfklfnf.exe	126
PID 2748 wrote to memory of 3636	2748	jhdfkldfhndfkjdfnbfklfnf.exe	126
PID 2748 wrote to memory of 3636	2748	jhdfkldfhndfkjdfnbfklfnf.exe	126

C:\Users\Admin\AppData\Local\Temp\0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe
"C:\Users\Admin\AppData\Local\Temp\0ddd2e749d0156fabb57980a3799ff7def0a9000493d840620797c87999e576a.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4068
- C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpBF97.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC228.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:3252
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC277.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1084
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4412
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:448
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4696
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:868
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3396
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4792
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:220
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2348
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3956
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1988
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4516
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3636
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2940
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2580
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:316
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2868
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:5060
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2448
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4968
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1380
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2604
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3892
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1424
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1560

C:\ProgramData\winmgr119.exe
C:\ProgramData\winmgr119.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4268

C:\ProgramData\winmgr119.exe
C:\ProgramData\winmgr119.exe
1⤵
- Executes dropped EXE
- NTFS ADS
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

Filesize
2.6MB

MD5
ae7881d2c433ccdd58f6ec216e4acd2c

SHA1
fedf21050b38fcd2b03f2c666de2e17196d216dd

SHA256
786332d495e7063659ea18ec14160fe2ca5798b51407bc16c7e117638eda9043

SHA512
bb602fe63aabc3a3ca4f109f8b9a95bea5677997d494fde4f01151566ebb14629ccb074e7c6779bb596c05bca7daa7670d15212813a13757a057fb9c1fab8ab7

Download Submit
C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

Filesize
8B

MD5
ae50b6100e5abbc08af4e94fe8157d29

SHA1
deab1853b9a0bb91eef4280aae21ae35d30b383f

SHA256
a85800dd837fef7445ee0fcc34950e85c882695ff177c414f859359a331daaa4

SHA512
fcc633aa55526ea1fe762454d3e32189afb88ad58c5914af6221274d5569f7751158137c24739b1b6fabdd12f589791bc971bce1cb8d2ad5844141516ca627ed

Download Submit
C:\ProgramData\winmgr119.exe

Filesize
2.6MB

MD5
ffcd776fc9de565e271f31466426ad01

SHA1
26ae984c4e8fbae78c2750a15ed75c99ae6c746b

SHA256
66c1fbe177ce2b0f81013bc3c11ace9b46d8bbebb1034987115517d653c2440a

SHA512
8ad171b131cbef2a84ff322ed09bc1db36416227e65639ca33078433e5fecac1530c1f192892bf2f4b26a55b02f7a01b24bc41603292ab645131bf1165588b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF97.tmp

Filesize
1KB

MD5
b0cc2e6f2d8036c9b5fef218736fa9c9

SHA1
64fd3017625979c95ba09d7cbea201010a82f73f

SHA256
997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50

SHA512
a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC228.tmp

Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC277.tmp

Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
memory/1084-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3252-31-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3252-28-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3252-29-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3252-27-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4676-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4676-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4676-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4676-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4868-11-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4868-10-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4868-9-0x0000000073782000-0x0000000073783000-memory.dmp

Filesize
4KB

Download
memory/4868-44-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4868-45-0x0000000073782000-0x0000000073783000-memory.dmp

Filesize
4KB

Download
memory/4868-46-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4868-8-0x0000000000D50000-0x0000000000E1A000-memory.dmp

Filesize
808KB

Download