2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe
Size

2.6MB
MD5

5ef7cb947d8630de6188c3538dbf52b7
SHA1

e0116510c13ce7473b2c815ca3a8fda295ba8d00
SHA256

2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5
SHA512

9add472e566b81aed8a89378bda66c5509c4bc506ee9249d6f6919dc689c2948aec758303541c730ce6c9854c0a53790d43d5a46bd844866c88a4007e7e617ea
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4eG:ObCjPKNqQEfsw43qtmVfq4r

Score

9^/10

collection discovery persistence spyware stealer upx

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral1/memory/724-26-0x0000000000400000-0x000000000048E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/724-31-0x0000000000400000-0x000000000048E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with MEW 3 IoCs

resource	yara_rule
behavioral1/memory/1476-44-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW
behavioral1/memory/1476-45-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW
behavioral1/memory/1476-47-0x0000000000400000-0x000000000043C000-memory.dmp	INDICATOR_EXE_Packed_MEW

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/memory/2392-37-0x0000000000400000-0x0000000000491000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2392-40-0x0000000000400000-0x0000000000491000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral1/memory/724-24-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral1/memory/724-25-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral1/memory/724-26-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral1/memory/724-31-0x0000000000400000-0x000000000048E000-memory.dmp	UPX
behavioral1/memory/2392-35-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral1/memory/2392-36-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral1/memory/2392-37-0x0000000000400000-0x0000000000491000-memory.dmp	UPX
behavioral1/memory/2392-40-0x0000000000400000-0x0000000000491000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2796	winmgr119.exe
2652	winmgr119.exe

Loads dropped DLL 1 IoCs

pid	Process
2284	2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/724-24-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/724-25-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/724-26-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/724-31-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2392-35-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2392-36-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2392-37-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2392-40-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
8	bot.whatismyipaddress.com
4	icanhazip.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a000000012280-2.dat	autoit_exe
behavioral1/files/0x0036000000013108-9.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2716 set thread context of 724	2716	RegAsm.exe	58
PID 2716 set thread context of 2392	2716	RegAsm.exe	61
PID 2716 set thread context of 1476	2716	RegAsm.exe	65

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2108	schtasks.exe
1504	schtasks.exe
1744	schtasks.exe
2408	schtasks.exe
1816	schtasks.exe
2508	schtasks.exe
1444	schtasks.exe
1608	schtasks.exe
2164	schtasks.exe
2596	schtasks.exe
2040	schtasks.exe
684	schtasks.exe
1888	schtasks.exe
1900	schtasks.exe
2816	schtasks.exe
2740	schtasks.exe
2436	schtasks.exe
2412	schtasks.exe
2064	schtasks.exe
1968	schtasks.exe
2300	schtasks.exe
1572	schtasks.exe
984	schtasks.exe
2620	schtasks.exe
2500	schtasks.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File created	C:\Users\Admin\AppData\Local\Temp\2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe:Zone.Identifier:$DATA	2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe
File created	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2284	2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2796	winmgr119.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2652	winmgr119.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2996	jhdfkldfhndfkjdfnbfklfnf.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe
2716	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	RegAsm.exe
Token: SeDebugPrivilege	724	cvtres.exe
Token: SeDebugPrivilege	2392	cvtres.exe
Token: SeDebugPrivilege	1476	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2996	2284	2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe	28
PID 2284 wrote to memory of 2996	2284	2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe	28
PID 2284 wrote to memory of 2996	2284	2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe	28
PID 2284 wrote to memory of 2996	2284	2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe	28
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2716	2996	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2996 wrote to memory of 2596	2996	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2996 wrote to memory of 2596	2996	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2996 wrote to memory of 2596	2996	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2996 wrote to memory of 2596	2996	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2996 wrote to memory of 2500	2996	jhdfkldfhndfkjdfnbfklfnf.exe	32
PID 2996 wrote to memory of 2500	2996	jhdfkldfhndfkjdfnbfklfnf.exe	32
PID 2996 wrote to memory of 2500	2996	jhdfkldfhndfkjdfnbfklfnf.exe	32
PID 2996 wrote to memory of 2500	2996	jhdfkldfhndfkjdfnbfklfnf.exe	32
PID 2996 wrote to memory of 2740	2996	jhdfkldfhndfkjdfnbfklfnf.exe	34
PID 2996 wrote to memory of 2740	2996	jhdfkldfhndfkjdfnbfklfnf.exe	34
PID 2996 wrote to memory of 2740	2996	jhdfkldfhndfkjdfnbfklfnf.exe	34
PID 2996 wrote to memory of 2740	2996	jhdfkldfhndfkjdfnbfklfnf.exe	34
PID 2996 wrote to memory of 1444	2996	jhdfkldfhndfkjdfnbfklfnf.exe	36
PID 2996 wrote to memory of 1444	2996	jhdfkldfhndfkjdfnbfklfnf.exe	36
PID 2996 wrote to memory of 1444	2996	jhdfkldfhndfkjdfnbfklfnf.exe	36
PID 2996 wrote to memory of 1444	2996	jhdfkldfhndfkjdfnbfklfnf.exe	36
PID 2996 wrote to memory of 2412	2996	jhdfkldfhndfkjdfnbfklfnf.exe	38
PID 2996 wrote to memory of 2412	2996	jhdfkldfhndfkjdfnbfklfnf.exe	38
PID 2996 wrote to memory of 2412	2996	jhdfkldfhndfkjdfnbfklfnf.exe	38
PID 2996 wrote to memory of 2412	2996	jhdfkldfhndfkjdfnbfklfnf.exe	38
PID 2996 wrote to memory of 1504	2996	jhdfkldfhndfkjdfnbfklfnf.exe	42
PID 2996 wrote to memory of 1504	2996	jhdfkldfhndfkjdfnbfklfnf.exe	42
PID 2996 wrote to memory of 1504	2996	jhdfkldfhndfkjdfnbfklfnf.exe	42
PID 2996 wrote to memory of 1504	2996	jhdfkldfhndfkjdfnbfklfnf.exe	42
PID 2996 wrote to memory of 1608	2996	jhdfkldfhndfkjdfnbfklfnf.exe	44
PID 2996 wrote to memory of 1608	2996	jhdfkldfhndfkjdfnbfklfnf.exe	44
PID 2996 wrote to memory of 1608	2996	jhdfkldfhndfkjdfnbfklfnf.exe	44
PID 2996 wrote to memory of 1608	2996	jhdfkldfhndfkjdfnbfklfnf.exe	44
PID 2996 wrote to memory of 1744	2996	jhdfkldfhndfkjdfnbfklfnf.exe	46
PID 2996 wrote to memory of 1744	2996	jhdfkldfhndfkjdfnbfklfnf.exe	46
PID 2996 wrote to memory of 1744	2996	jhdfkldfhndfkjdfnbfklfnf.exe	46
PID 2996 wrote to memory of 1744	2996	jhdfkldfhndfkjdfnbfklfnf.exe	46
PID 2996 wrote to memory of 2064	2996	jhdfkldfhndfkjdfnbfklfnf.exe	48
PID 2996 wrote to memory of 2064	2996	jhdfkldfhndfkjdfnbfklfnf.exe	48
PID 2996 wrote to memory of 2064	2996	jhdfkldfhndfkjdfnbfklfnf.exe	48
PID 2996 wrote to memory of 2064	2996	jhdfkldfhndfkjdfnbfklfnf.exe	48
PID 2996 wrote to memory of 2040	2996	jhdfkldfhndfkjdfnbfklfnf.exe	50
PID 2996 wrote to memory of 2040	2996	jhdfkldfhndfkjdfnbfklfnf.exe	50
PID 2996 wrote to memory of 2040	2996	jhdfkldfhndfkjdfnbfklfnf.exe	50
PID 2996 wrote to memory of 2040	2996	jhdfkldfhndfkjdfnbfklfnf.exe	50
PID 492 wrote to memory of 2796	492	taskeng.exe	53
PID 492 wrote to memory of 2796	492	taskeng.exe	53
PID 492 wrote to memory of 2796	492	taskeng.exe	53
PID 492 wrote to memory of 2796	492	taskeng.exe	53
PID 2996 wrote to memory of 1572	2996	jhdfkldfhndfkjdfnbfklfnf.exe	54
PID 2996 wrote to memory of 1572	2996	jhdfkldfhndfkjdfnbfklfnf.exe	54
PID 2996 wrote to memory of 1572	2996	jhdfkldfhndfkjdfnbfklfnf.exe	54
PID 2996 wrote to memory of 1572	2996	jhdfkldfhndfkjdfnbfklfnf.exe	54
PID 2996 wrote to memory of 2164	2996	jhdfkldfhndfkjdfnbfklfnf.exe	56
PID 2996 wrote to memory of 2164	2996	jhdfkldfhndfkjdfnbfklfnf.exe	56
PID 2996 wrote to memory of 2164	2996	jhdfkldfhndfkjdfnbfklfnf.exe	56

C:\Users\Admin\AppData\Local\Temp\2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe
"C:\Users\Admin\AppData\Local\Temp\2b1856d3ce5251c6a90f5a121ecf552ab7df68a84711d16cbba4a634f13bfce5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284
- C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp4F68.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp5005.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp6431.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1476
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2596
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2500
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1444
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2412
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1608
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1744
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2064
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2040
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1572
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2164
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2408
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1888
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:684
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1968
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2300
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:984
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1816
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2108
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2620
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1900
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2816
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2436
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2508

C:\Windows\system32\taskeng.exe
taskeng.exe {B9BFB372-ECA6-4527-B973-710D32BD4720} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:492
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

Filesize
8B

MD5
0fb956abbfdb0525d6a81984f310e6b9

SHA1
6cc370b72627f4a3bb6ada84dbee117734a60286

SHA256
5d71bdb41642f73612209a423cdc596258375514689454d47a127f1730349ecc

SHA512
a37ce7a59a4a812cfaba0c11400269b782180fe55b6a6ad850cd21d1d0431744b56ffe46d3cdeec3092b1f4a4205a98b34a0cb081bf783eafeee1c91d587daaa

Download Submit
C:\ProgramData\winmgr119.exe

Filesize
2.6MB

MD5
c511f42a4c4b0a6597b34f73e24ac44e

SHA1
a0a4acb7c720ec7d2443e9168e6d6a8d88656a1e

SHA256
03ef50d93c89c74cda70eb7f27058a43ae1de3abcca37f01181a9d824a01263f

SHA512
d895da895a0f1bad3334031e6c7ca508a2bd2ac812582f734cf6aa72002dd42c15e2fcfba26915e0a373317bb5728c596e3d591207cb0d0c76f0883b297f593f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F68.tmp

Filesize
399B

MD5
e4bf4f7accc657622fe419c0d62419ab

SHA1
c2856936dd3de05bad0da5ca94d6b521e40ab5a2

SHA256
b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e

SHA512
85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5005.tmp

Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6431.tmp

Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

Filesize
2.6MB

MD5
1532f4411ca677f355468c98f892246c

SHA1
8dbb65e9ac814b97c8c4979a5b5161f28aa7c2fc

SHA256
4be7f51b22fb340db98c38f6d5c02c6b18cb6e9bf5506c554450e011ff463d60

SHA512
316394b9e7f5016627a21b0a7804fc2bed4ddfbe53568ce7614ebe4be167d47aedf209bea0aef388e5057891dc7669bbb71f2aaf74b22ead7824f54f07f99370

Download Submit
memory/724-31-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/724-25-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/724-26-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/724-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1476-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1476-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1476-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2392-35-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2392-36-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2392-37-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2392-40-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2716-18-0x0000000073E52000-0x0000000073E54000-memory.dmp

Filesize
8KB

Download
memory/2716-12-0x0000000000110000-0x00000000001DA000-memory.dmp

Filesize
808KB

Download
memory/2716-17-0x0000000073E52000-0x0000000073E54000-memory.dmp

Filesize
8KB

Download
memory/2716-16-0x0000000000110000-0x00000000001DA000-memory.dmp

Filesize
808KB

Download
memory/2716-14-0x0000000000110000-0x00000000001DA000-memory.dmp

Filesize
808KB

Download
memory/2716-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-10-0x0000000000110000-0x00000000001DA000-memory.dmp

Filesize
808KB

Download