banload | 3e79d4e30a37e43e13033008ca5bfe51b54e12d24c8dbba76da259d26789b9f1

Resubmissions

Analysis

max time kernel
79s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

15.1MB
MD5

679e3f0e646a1a26b3264d08f398b228
SHA1

feedf0799a22cdfb393960a2b8edc06b35019664
SHA256

3e79d4e30a37e43e13033008ca5bfe51b54e12d24c8dbba76da259d26789b9f1
SHA512

46038281c1c73ba9a0265db68a4be35fee3fb640d95c04407424a9cd7bc97013ca5b40ae546f7e25dc77c9d047ee9d4fea98d54e1c7a44977f204623543af99f
SSDEEP

393216:A8+b3itt/k6pMm/aGib3gQuq6C2CT9U3TC6dRR8H0ZH3P:qS9CmqzTGunIH3P

Score

10^/10

banload lumma downloader dropper evasion persistence stealer trojan

Malware Config

Extracted

Family

lumma

https://fomremywellmadderw.shop/api

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Setup.tmp

Executes dropped EXE 5 IoCs

pid	Process
2080	Setup.tmp
1592	Setup.tmp
4996	UnRAR.exe
2624	ezcd.exe
5096	ezcd.exe

Loads dropped DLL 9 IoCs

pid	Process
2080	Setup.tmp
1592	Setup.tmp
2624	ezcd.exe
2624	ezcd.exe
2624	ezcd.exe
5096	ezcd.exe
5096	ezcd.exe
5096	ezcd.exe
3860	Ftur.au3

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment"	ezcd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5096 set thread context of 336	5096	ezcd.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\uRiInc\ = "~{nK[bAK~WMRbciGkM"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gvhotx\ = "leUHeQgNFCCA^BAg~QDBgN"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gpaQwvtqjrL\ = "QJ\|[vOq_Ap[_]n[L@kd"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\uRiInc\ = "cWQAyEn]Ry{a^@Tnew"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ymcxR\ = "NNbpDf]xPTAV"	ezcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\NoOpLock = "1"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\gvhotx	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\gpaQwvtqjrL\ = "ADmZOjUejIamXE\\N^Fu"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\hllkSpiov\ = "rDm^]iI`VgPvtAQWzkHiipRSnaDv~KKz"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bsdtwk\ = "`cNjTL@\\l{\\{xFFJbflr^ErmZDsMK["	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\qQzQbtezIfyxL	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\qQzQbtezIfyxL\ = "AJv`Fyxi}{\\fcYrBQmd`d~\|eBMPqippF"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\YcdyLdrMgz	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gvhotx	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\hllkSpiov	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	ezcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ManualSafeSave = "1"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\hllkSpiov	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\YcdyLdrMgz\ = "i@wGECHEmKUtRohUB}B]hrnygKC\\\x7fQg"	ezcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\EnableShareDenyNone = "1"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\hllkSpiov\ = "sP[D~\x7f]\|~OJ\\pqvFfbM@QuxD^e\|\|HOwt"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gpaQwvtqjrL	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bsdtwk\ = "`cNjTL@\\l{\\{xFFJbflr^ErmZDsM{["	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\qQzQbtezIfyxL\ = "rsN[_zT[\\~_DEdiFi\x7fGeg\x7fp[I\|]TyUrL"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ymcxR	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ymcxR\ = "ZaW@SqboTcwq"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\uRiInc	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bsdtwk\ = "Jvdtii\x7fOGrBhcXunLhLwman@rs}S~e"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\gvhotx\ = "lkkE@J@vuT`wRD{YnAEBvE"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bsdtwk\ = "Jvdtii\x7fOGrBhcXunLhLwman@rs}SNe"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\uRiInc	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bsdtwk	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\qQzQbtezIfyxL	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\qQzQbtezIfyxL\ = "AJv`FyHi}{\\fcYrBQmd`d~\|eBMPqippF"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\gpaQwvtqjrL	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bsdtwk	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\YcdyLdrMgz\ = "tsfQxcpqUE~swmW~zVuq{y\x7fGYbHOV]d"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\YcdyLdrMgz	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ymcxR	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ymcxR\ = "O~bpDf__DwmJ"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ymcxR\ = "[QW@Sq`H@@[m"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\qQzQbtezIfyxL\ = "rsN[_zd[\\~_DEdiFi\x7fGeg\x7fp[I\|]TyUrL"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "Microsoft PowerPoint Metadata Handler"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment"	ezcd.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	ezcd.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	ezcd.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1592	Setup.tmp
1592	Setup.tmp
2624	ezcd.exe
5096	ezcd.exe
5096	ezcd.exe
5096	ezcd.exe
336	more.com
336	more.com
336	more.com
336	more.com
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5096	ezcd.exe
336	more.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	taskmgr.exe
Token: SeSystemProfilePrivilege	5116	taskmgr.exe
Token: SeCreateGlobalPrivilege	5116	taskmgr.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
1592	Setup.tmp
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2080	1404	Setup.exe	84
PID 1404 wrote to memory of 2080	1404	Setup.exe	84
PID 1404 wrote to memory of 2080	1404	Setup.exe	84
PID 2080 wrote to memory of 4532	2080	Setup.tmp	86
PID 2080 wrote to memory of 4532	2080	Setup.tmp	86
PID 2080 wrote to memory of 4532	2080	Setup.tmp	86
PID 4532 wrote to memory of 1592	4532	Setup.exe	87
PID 4532 wrote to memory of 1592	4532	Setup.exe	87
PID 4532 wrote to memory of 1592	4532	Setup.exe	87
PID 1592 wrote to memory of 4996	1592	Setup.tmp	89
PID 1592 wrote to memory of 4996	1592	Setup.tmp	89
PID 1592 wrote to memory of 2624	1592	Setup.tmp	99
PID 1592 wrote to memory of 2624	1592	Setup.tmp	99
PID 2624 wrote to memory of 5096	2624	ezcd.exe	106
PID 2624 wrote to memory of 5096	2624	ezcd.exe	106
PID 5096 wrote to memory of 336	5096	ezcd.exe	109
PID 5096 wrote to memory of 336	5096	ezcd.exe	109
PID 5096 wrote to memory of 336	5096	ezcd.exe	109
PID 5096 wrote to memory of 336	5096	ezcd.exe	109
PID 336 wrote to memory of 3860	336	more.com	113
PID 336 wrote to memory of 3860	336	more.com	113
PID 336 wrote to memory of 3860	336	more.com	113
PID 336 wrote to memory of 3860	336	more.com	113
PID 336 wrote to memory of 3860	336	more.com	113

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\is-31P4J.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-31P4J.tmp\Setup.tmp" /SL5="$4021C,11439742,799232,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\is-FML4K.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FML4K.tmp\Setup.tmp" /SL5="$50212,11439742,799232,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\UnRAR.exe
        
        "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\\UnRAR.exe" x -p2024 -o+ "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\\jhgfdsa.rar" "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\"
        5⤵
        Executes dropped EXE
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe
        
        "C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe
        
        C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Modifies registry class
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\Ftur.au3
        
        C:\Users\Admin\AppData\Local\Temp\Ftur.au3
        8⤵
        Loads dropped DLL
        
        PID:3860

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
146B

MD5
a90069ef3555d9fadff08d85349cdef6

SHA1
00f2f2641cf13bd48558dead920637c2d4d6bd90

SHA256
4b4a3a76c1c3d364bc04121a4fa9c1e1ae2d8d95ba5c4ed0d78e86b060f0a979

SHA512
8a08db9eedef05eb1f0ed6c6c31f350b5bd595eb906b3e202381dce20cec31a1fae0800b275d6b7dbfa7591b2622a3ce8e9d5c15bbb8c131262c284275cf5efc

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\acdbase.dll

Filesize
2.9MB

MD5
b1bdb6ded9dff296ceff241fb196457b

SHA1
5bdfb243477cf12c239bb277cd66ca0dfa5d043d

SHA256
a9e79f83f81567cef62d2026ce30e1d5da27352590a6ef1c662cd1a634f73352

SHA512
3ba56cca93ed41fd185d81b076146064e1f59d4b3109dd44ecbe26e28e669011562527b7a2bdea0d9fb2f00d03a03c80acc83b6d3430721f0ce57b7c31c36123

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\gable.flv

Filesize
46KB

MD5
e1e1bf5a99a816a279d1309d61d80f2d

SHA1
427726ac33db371d40a687ef11b6071239bc70f6

SHA256
317cd902474c2dd27c9ad4af84d6b97b2831a996d9cd05ce2fb2518ffc38f923

SHA512
a6a2807324218eb28039bf3f946f3fadcdf5507b1d85c126a55b94c07c048a43db26183692e3e385680c299b01f4666f2ab17fc366f946fd6097e3d71e46088d

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\jhgfdsa.rar

Filesize
9.7MB

MD5
d4cf9207c2e3ba875410515927a9c3b2

SHA1
1564182a98cbf350c3d0e6ecfdcd622226c6217f

SHA256
ec329b9da2c72d3dd84d0b8f41b2ba8c2e95208aa614c6f10ca2ede6e6d2b52b

SHA512
b7b7e96d3c0ce2286b3ebcb978b976aaf31674c204f8c868daa9019b61e67cee4b4c0da90aa1ed8463474c9a156880cc422719ae7a78617ee5d7cda0be4a5034

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\libmmd.dll

Filesize
4.0MB

MD5
42943c6acaf8d5ca953911b2bb99fc14

SHA1
ea719eafd2857b43b20228827f5596f1137ac3d5

SHA256
427ef018d494bf6cb8531ab3bbcb501ed4c8c7c6479097b33ab4d15750eccc4c

SHA512
85e71abc6db8a2e4eaad70d35ca613a918046715c8447b4c975021791f160aa3d1c4cb19969f81dd7b9f98f13dec41619c44e3c5948ae593af9c3d0cfec346fc

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\shroff.rtf

Filesize
1.3MB

MD5
976de7d9e2ddca3c71bc51dc64e8ea6f

SHA1
2a76dc465078e110b20287730b64176ce844ab9f

SHA256
47a827e4291894470af7ad714fcafda799ad69715100e28cbc5570801c8dbdb8

SHA512
804a41d05e0ebad7803a039d94a2b79a0b22340faaf6ec6aa773e67f34cf6fe5439aa8621761e30e65631ee083feea36a2f482b4614e5173e5669a756a419763

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\vcruntime140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\326ed637

Filesize
1.8MB

MD5
7c24dbf7bc0b2c6c02465735eeb2b7a3

SHA1
939c33e8c026de214189c1feafb7da4b93237df6

SHA256
0ec6a9a2aca251d664b08825a9b7144a3671981bb8c91101d9e1f79af837ce10

SHA512
209bbd248bb2428b9943f74eabfafbaa76d212d0938211c9fcfbecf1298a6e6563c48b864e1d17da28679094c75dfa97fba20eec60b10344a3dd9e6b93700634

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31P4J.tmp\Setup.tmp

Filesize
3.0MB

MD5
62c2965912072266823bafdec2273528

SHA1
a737d8b8d31a440137894c0852c71976d64fb6fc

SHA256
d26099f9c70cd8a482e372523b96cdd5e01ff373725d786c9b9dd9749d3a03ab

SHA512
2dd306f9e3d78a6531b1bdd28ecc5be118bd45b3fad6197d404ab3dbadae60902fedf5df3cd8db2e07e63e5d80e672d6693b6e74c5df01a25d962ec912631c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KHUG8.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\??\c:\users\admin\appdata\local\temp\ftur.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/336-155-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/336-170-0x00000000758C0000-0x0000000075A3B000-memory.dmp

Filesize
1.5MB

Download
memory/1404-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1404-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1404-20-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1592-72-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2080-17-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2080-6-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2624-97-0x00007FFDB1B10000-0x00007FFDB1C82000-memory.dmp

Filesize
1.4MB

Download
memory/2624-84-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2624-86-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2624-79-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2624-81-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2624-83-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2624-85-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2624-67-0x0000000003F90000-0x0000000004178000-memory.dmp

Filesize
1.9MB

Download
memory/2624-88-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3860-179-0x0000000000570000-0x00000000005C9000-memory.dmp

Filesize
356KB

Download
memory/3860-177-0x0000000000570000-0x00000000005C9000-memory.dmp

Filesize
356KB

Download
memory/3860-178-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/4532-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4532-15-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4532-75-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5096-142-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5096-151-0x00007FFDB1390000-0x00007FFDB1502000-memory.dmp

Filesize
1.4MB

Download
memory/5096-152-0x00007FFDB1390000-0x00007FFDB1502000-memory.dmp

Filesize
1.4MB

Download
memory/5096-135-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5096-140-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5096-122-0x0000000004050000-0x0000000004238000-memory.dmp

Filesize
1.9MB

Download
memory/5096-138-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5096-137-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5096-139-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5096-133-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5116-167-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-165-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-164-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-162-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-163-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-166-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-168-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-158-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-157-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download
memory/5116-156-0x0000028B3EF70000-0x0000028B3EF71000-memory.dmp

Filesize
4KB

Download