aac483ae766d6ff52801c293af713e9d19eb9ad455eab64132cb3272043391e0

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Size

10.1MB
MD5

8b3b520f329d7bcae28e0a13e4596734
SHA1

77b663e66ec4bf6eca0277731fcf2141fbcfbaa0
SHA256

aac483ae766d6ff52801c293af713e9d19eb9ad455eab64132cb3272043391e0
SHA512

79e2c125989536afad9cc6c5fd36137863cca0463767404883c874211fe9b0d750afece50427a8cc4796c32a193d9b5bc9c53b66ff81f4a6a3d71b52f39ca0e9
SSDEEP

196608:kdad4T0xcsSB5orrcbSsi0s/lmPJ7N3VvXWrqufezvq:AadCoXrlAJ7N3pXW2uGzy

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2832	lite_installer.exe
3024	seederexe.exe
380	sender.exe

Loads dropped DLL 13 IoCs

pid	Process
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
3024	seederexe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2204	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\R:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\Y:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\S:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\O:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\U:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\W:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\E:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\L:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\X:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\P:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\Q:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\V:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\Z:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\I:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1F68.tmp	msiexec.exe
File created	C:\Windows\Installer\f76195b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E2C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BC7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E6C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F19.tmp	msiexec.exe
File created	C:\Windows\Installer\f76195a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76195a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C35.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76195b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CA3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DFB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2005.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
2204	msiexec.exe
2204	msiexec.exe
2832	lite_installer.exe
2832	lite_installer.exe
2832	lite_installer.exe
2832	lite_installer.exe
3024	seederexe.exe
380	sender.exe
380	sender.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeIncreaseQuotaPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeSecurityPrivilege	2204	msiexec.exe
Token: SeCreateTokenPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeLockMemoryPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeIncreaseQuotaPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeMachineAccountPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeTcbPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeSecurityPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeTakeOwnershipPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeLoadDriverPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeSystemProfilePrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeSystemtimePrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeProfSingleProcessPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeIncBasePriorityPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeCreatePagefilePrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeCreatePermanentPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeBackupPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeRestorePrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeShutdownPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeDebugPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeAuditPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeSystemEnvironmentPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeChangeNotifyPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeRemoteShutdownPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeUndockPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeSyncAgentPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeEnableDelegationPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeManageVolumePrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeImpersonatePrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeCreateGlobalPrivilege	1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
1940	2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2396	2204	msiexec.exe	29
PID 2204 wrote to memory of 2396	2204	msiexec.exe	29
PID 2204 wrote to memory of 2396	2204	msiexec.exe	29
PID 2204 wrote to memory of 2396	2204	msiexec.exe	29
PID 2204 wrote to memory of 2396	2204	msiexec.exe	29
PID 2204 wrote to memory of 2396	2204	msiexec.exe	29
PID 2204 wrote to memory of 2396	2204	msiexec.exe	29
PID 2396 wrote to memory of 2832	2396	MsiExec.exe	30
PID 2396 wrote to memory of 2832	2396	MsiExec.exe	30
PID 2396 wrote to memory of 2832	2396	MsiExec.exe	30
PID 2396 wrote to memory of 2832	2396	MsiExec.exe	30
PID 2396 wrote to memory of 2832	2396	MsiExec.exe	30
PID 2396 wrote to memory of 2832	2396	MsiExec.exe	30
PID 2396 wrote to memory of 2832	2396	MsiExec.exe	30
PID 2396 wrote to memory of 3024	2396	MsiExec.exe	31
PID 2396 wrote to memory of 3024	2396	MsiExec.exe	31
PID 2396 wrote to memory of 3024	2396	MsiExec.exe	31
PID 2396 wrote to memory of 3024	2396	MsiExec.exe	31
PID 3024 wrote to memory of 380	3024	seederexe.exe	32
PID 3024 wrote to memory of 380	3024	seederexe.exe	32
PID 3024 wrote to memory of 380	3024	seederexe.exe	32
PID 3024 wrote to memory of 380	3024	seederexe.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_8b3b520f329d7bcae28e0a13e4596734_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7D0ECFA7F5C12729DC17E933D44D49BA
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\7483E377-B72F-4267-A31F-E975B105E9D5\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7483E377-B72F-4267-A31F-E975B105E9D5\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\0C417CBE-E843-4128-AC66-2DB071FF32D3\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\0C417CBE-E843-4128-AC66-2DB071FF32D3\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\208C3FE7-4544-49F6-8D7E-4632B3311A4E\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\208C3FE7-4544-49F6-8D7E-4632B3311A4E\sender.exe
      C:\Users\Admin\AppData\Local\Temp\208C3FE7-4544-49F6-8D7E-4632B3311A4E\sender.exe --send "/status.xml?clid=2413642&uuid=2955837e-4F09-43AE-92B5-A4F0E5F594f7&vnt=Windows 7x64&file-no=6%0A15%0A25%0A45%0A57%0A59%0A111%0A125%0A129%0A"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76195c.rbs

Filesize
575B

MD5
016f27f749c6e2e7aeed1bc4b0c78de0

SHA1
7c2fdfd9d73d934432da6fb77b44c546870c7792

SHA256
04183fd08ff67ca572bb63097181d88c1f40121a7857ebf1d8da44fa1e154ac7

SHA512
e0272bdb0ab07bc5f6bbc35bf310f5fcc94e8f761878d3c24194b61a43d07e022096f3c4fe19ec4cfefd9243c4508bad1ac36fb6baca34ab2af7a66dabfa6635

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90545caac46ac21387effe35b13515db

SHA1
f98ee2dc86976e41ca22ca1072fa40c76d545c81

SHA256
6d93e7c05632fea3d7c58259f521a2d0a335ec7c50599748a990d6dfe91e0d46

SHA512
16fb9434c41b7da6e3783fb9eb6b892508b46586b3c7b3e36ba1710190c1910b6d975a25fb8885f51630a481a476ccb5b5faeb088a8dba40336530457e3f3d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab14F9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMNIJA~1.ZIP

Filesize
41.3MB

MD5
1d6cfd7db58008d1b44328c5a3a4220c

SHA1
8e8304bfd7a73b9ae8415b6cbd273e612868a2b2

SHA256
915e46dcc29d6fee123c4b8e88d846ac95ffd4a6f4eb956dc882d305ee1b8256

SHA512
4c17160aa83abeff897462f981226902dd6694817ad95f246511fc63c637bdffa0989a3db00c4309fa673a13b4993c509df538ddad482d1be8b4058749ee93f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar150C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1669.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
34KB

MD5
137052cca28b0cb2242b6b86ce11c332

SHA1
0e6574c702a3e24f85b9f48c11b82c6989e93d3d

SHA256
57a5ad6f597af96a894849d750fd20da050c725d0ec3999765207b668fc8032f

SHA512
9a54256b65317dd4957bd767c6b5056359968c10a54fa2f6739eedbb013c028c044d2936436e182f081067d05fc33dc8e714864885c128037d7a99be5ed206cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

Filesize
530B

MD5
9df18cd11f2e352459261c19a94c4b0e

SHA1
f0b76ff6392d7689e746379c862654e68b7d9470

SHA256
274275dcb5bb6666968e62e1168ca025c6ae0cb29fc5b4018ffcb1fbc0b7b645

SHA512
a0d7cecbf45bfc83a3e664235cbe8a8146f33db714243cd7fa31e862a06034b06bd0e30882035877b987eb02ae6955fc3545ecd6b861ef94562e0fe18e269658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3024aaaaaa

Filesize
2.5MB

MD5
fefc3d677388386c29d8720c15b9db3f

SHA1
370f1f40ae5c652d87b3b8f42e67d827af2b1754

SHA256
74d5e8d3cd8d659d8df8e6f306832dfc252e1a6e676bb60334e31b5943deb4fb

SHA512
b462ca1ffb0798bedc39c945daa75ff73e0efbb1c6dfdb262e6b2936158933f514f0b4169e811069df11aaeaebd39c826ce0caf9f6eb6d77de249fca6abe39fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
509B

MD5
3b03e3552f4735cbc1eb75e3411b6bec

SHA1
877e906f16dfa4f971ccf1fec9565f492707b766

SHA256
819b8d391af71b5521e78dabbd33df5eba7ff07799edcce9ecb806e78569fcff

SHA512
3f2d08dc06fba08d5b6a5da5123c27d649025c8ed4ffaf808bbef48bfde90c0159c63eacc35e8428601ad87d5b6720dbcc4988a2898ef672aa3f702a73eefcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
9.8MB

MD5
843ebfc87d45f97581c2b82b81a68d4b

SHA1
16cb4d4e594b04d1079f2bef4cd187862406e96d

SHA256
c173c79096bd20ca67fa399a60f25d8b76381ebea3b1643becae751e7c479657

SHA512
c54975a09a194eca36c69766f9ebd00bbcb90acf23dd607948ca372839ac045876976018da3deb509cc857f9ba94668dc5dc4dfeea2cbba0ee0e16f0a26772cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin\places.sqlite-20240602185827.652400.backup

Filesize
68KB

MD5
314cb7ffb31e3cc676847e03108378ba

SHA1
3667d2ade77624e79d9efa08a2f1d33104ac6343

SHA256
b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

SHA512
dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240602185827.730400.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240602185827.730400.backup

Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
36B

MD5
61eacbcf90333d743f0bd897232a48de

SHA1
485fa197fca4f47c0cb65271ffaebff2bc8de884

SHA256
cab76ef60ade9d3fad9debe5e77a1c99f9bd1c8b7f4f9827f058c77cc74cdfda

SHA512
55054451ba9f4a6676603962f7cbc356440f8055875d235fea578712ddfaec2e6f74932f93736f639358313dc265f23a9a0dfe48006ab1790af4dd69dd960af4

Download Submit
C:\Windows\Installer\MSI1BC7.tmp

Filesize
181KB

MD5
0c80a997d37d930e7317d6dac8bb7ae1

SHA1
018f13dfa43e103801a69a20b1fab0d609ace8a5

SHA256
a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86

SHA512
fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

Download Submit
C:\Windows\Installer\MSI1C35.tmp

Filesize
189KB

MD5
e6fd0e66cf3bfd3cc04a05647c3c7c54

SHA1
6a1b7f1a45fb578de6492af7e2fede15c866739f

SHA256
669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2

SHA512
fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

Download Submit
\Users\Admin\AppData\Local\Temp\0C417CBE-E843-4128-AC66-2DB071FF32D3\seederexe.exe

Filesize
8.6MB

MD5
225ba20fa3edd13c9c72f600ff90e6cb

SHA1
5f1a9baa85c2afe29619e7cc848036d9174701e4

SHA256
35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797

SHA512
97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

Download Submit
\Users\Admin\AppData\Local\Temp\208C3FE7-4544-49F6-8D7E-4632B3311A4E\sender.exe

Filesize
260KB

MD5
f1a8f60c018647902e70cf3869e1563f

SHA1
3caf9c51dfd75206d944d4c536f5f5ff8e225ae9

SHA256
36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577

SHA512
c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

Download Submit
\Users\Admin\AppData\Local\Temp\7483E377-B72F-4267-A31F-E975B105E9D5\lite_installer.exe

Filesize
419KB

MD5
aafdfaa7a989ddb216510fc9ae5b877f

SHA1
41cf94692968a7d511b6051b7fe2b15c784770cb

SHA256
688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc

SHA512
6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

Download Submit