9bd8be1ddf1c3847995b0659911a6d5dba351504a2f752c0f4a8ae7d4b17b9a7

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bd8be1ddf1c3847995b0659911a6d5dba351504a2f752c0f4a8ae7d4b17b9a7.exe
Size

3.5MB
MD5

9cc535dd1c20ebb196f2638f694bd77a
SHA1

ba8e1e934420c67547a68052d29bb5766c4c0b2e
SHA256

9bd8be1ddf1c3847995b0659911a6d5dba351504a2f752c0f4a8ae7d4b17b9a7
SHA512

8f83de7aaccd97da7d42b5f644c884d6a2c3eb9e69c4552b256d360307bb7c5bfc9ea95acd57c92ce6d161f16152d1fe3d3a64420bc4db41582c81d36c09c4a0
SSDEEP

49152:cP5r8oHl3obnWR1jdak2+8LIDITWHfwkbtKCL6asof1RABJAGdZY6+FK+HGJ2:cP5SbMkTs0TlkjeWDAB9ZY6+FKD2

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\BackgroundTransferHost.exe\", \"C:\\Users\\Admin\\cmd.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\RuntimeBroker.exe\""	logout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\BackgroundTransferHost.exe\", \"C:\\Users\\Admin\\cmd.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Desktop\\explorer.exe\""	logout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\BackgroundTransferHost.exe\", \"C:\\Users\\Admin\\cmd.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Desktop\\explorer.exe\", \"C:\\Program Files (x86)\\Google\\backgroundTaskHost.exe\""	logout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\BackgroundTransferHost.exe\""	logout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\BackgroundTransferHost.exe\", \"C:\\Users\\Admin\\cmd.exe\""	logout.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	1092	schtasks.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	1092	schtasks.exe	104

Detects executables containing bas64 encoded gzip files 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234e0-78.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/memory/1896-79-0x00000000004A0000-0x000000000070E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	9bd8be1ddf1c3847995b0659911a6d5dba351504a2f752c0f4a8ae7d4b17b9a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	logout.exe

Executes dropped EXE 12 IoCs

pid	Process
4268	7z.exe
4752	7z.exe
904	7z.exe
5040	7z.exe
4880	7z.exe
4076	7z.exe
4900	7z.exe
1368	7z.exe
4284	7z.exe
2340	7z.exe
1896	logout.exe
3368	RuntimeBroker.exe

Loads dropped DLL 10 IoCs

pid	Process
4268	7z.exe
4752	7z.exe
904	7z.exe
5040	7z.exe
4880	7z.exe
4076	7z.exe
4900	7z.exe
1368	7z.exe
4284	7z.exe
2340	7z.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\cmd.exe\""	logout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\RuntimeBroker.exe\""	logout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Desktop\\explorer.exe\""	logout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Google\\backgroundTaskHost.exe\""	logout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Google\\backgroundTaskHost.exe\""	logout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BackgroundTransferHost = "\"C:\\Program Files\\Internet Explorer\\uk-UA\\BackgroundTransferHost.exe\""	logout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BackgroundTransferHost = "\"C:\\Program Files\\Internet Explorer\\uk-UA\\BackgroundTransferHost.exe\""	logout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\cmd.exe\""	logout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\RuntimeBroker.exe\""	logout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Desktop\\explorer.exe\""	logout.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC50E5EC95193E43D2A75D17F178BEE1C.TMP	csc.exe
File created	\??\c:\Windows\System32\i-ayhx.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\uk-UA\BackgroundTransferHost.exe	logout.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\BackgroundTransferHost.exe	logout.exe
File created	C:\Program Files\Internet Explorer\uk-UA\766532ba8a13d2	logout.exe
File created	C:\Program Files (x86)\Google\backgroundTaskHost.exe	logout.exe
File created	C:\Program Files (x86)\Google\eddb19405b7ce1	logout.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	logout.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9	logout.exe
File created	C:\Windows\CSC\smss.exe	logout.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	logout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4268	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5020	schtasks.exe
4392	schtasks.exe
384	schtasks.exe
4040	schtasks.exe
1148	schtasks.exe
3740	schtasks.exe
4648	schtasks.exe
4868	schtasks.exe
4464	schtasks.exe
4968	schtasks.exe
1796	schtasks.exe
4636	schtasks.exe
4976	schtasks.exe
4780	schtasks.exe
3224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe
1896	logout.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3368	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeRestorePrivilege	4268	7z.exe
Token: 35	4268	7z.exe
Token: SeSecurityPrivilege	4268	7z.exe
Token: SeSecurityPrivilege	4268	7z.exe
Token: SeRestorePrivilege	4752	7z.exe
Token: 35	4752	7z.exe
Token: SeSecurityPrivilege	4752	7z.exe
Token: SeSecurityPrivilege	4752	7z.exe
Token: SeRestorePrivilege	904	7z.exe
Token: 35	904	7z.exe
Token: SeSecurityPrivilege	904	7z.exe
Token: SeSecurityPrivilege	904	7z.exe
Token: SeRestorePrivilege	5040	7z.exe
Token: 35	5040	7z.exe
Token: SeSecurityPrivilege	5040	7z.exe
Token: SeSecurityPrivilege	5040	7z.exe
Token: SeRestorePrivilege	4880	7z.exe
Token: 35	4880	7z.exe
Token: SeSecurityPrivilege	4880	7z.exe
Token: SeSecurityPrivilege	4880	7z.exe
Token: SeRestorePrivilege	4076	7z.exe
Token: 35	4076	7z.exe
Token: SeSecurityPrivilege	4076	7z.exe
Token: SeSecurityPrivilege	4076	7z.exe
Token: SeRestorePrivilege	4900	7z.exe
Token: 35	4900	7z.exe
Token: SeSecurityPrivilege	4900	7z.exe
Token: SeSecurityPrivilege	4900	7z.exe
Token: SeRestorePrivilege	1368	7z.exe
Token: 35	1368	7z.exe
Token: SeSecurityPrivilege	1368	7z.exe
Token: SeSecurityPrivilege	1368	7z.exe
Token: SeRestorePrivilege	4284	7z.exe
Token: 35	4284	7z.exe
Token: SeSecurityPrivilege	4284	7z.exe
Token: SeSecurityPrivilege	4284	7z.exe
Token: SeRestorePrivilege	2340	7z.exe
Token: 35	2340	7z.exe
Token: SeSecurityPrivilege	2340	7z.exe
Token: SeSecurityPrivilege	2340	7z.exe
Token: SeDebugPrivilege	1896	logout.exe
Token: SeDebugPrivilege	3368	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3368	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1068	2200	9bd8be1ddf1c3847995b0659911a6d5dba351504a2f752c0f4a8ae7d4b17b9a7.exe	86
PID 2200 wrote to memory of 1068	2200	9bd8be1ddf1c3847995b0659911a6d5dba351504a2f752c0f4a8ae7d4b17b9a7.exe	86
PID 1068 wrote to memory of 3740	1068	cmd.exe	88
PID 1068 wrote to memory of 3740	1068	cmd.exe	88
PID 1068 wrote to memory of 4268	1068	cmd.exe	89
PID 1068 wrote to memory of 4268	1068	cmd.exe	89
PID 1068 wrote to memory of 4752	1068	cmd.exe	90
PID 1068 wrote to memory of 4752	1068	cmd.exe	90
PID 1068 wrote to memory of 904	1068	cmd.exe	91
PID 1068 wrote to memory of 904	1068	cmd.exe	91
PID 1068 wrote to memory of 5040	1068	cmd.exe	92
PID 1068 wrote to memory of 5040	1068	cmd.exe	92
PID 1068 wrote to memory of 4880	1068	cmd.exe	93
PID 1068 wrote to memory of 4880	1068	cmd.exe	93
PID 1068 wrote to memory of 4076	1068	cmd.exe	94
PID 1068 wrote to memory of 4076	1068	cmd.exe	94
PID 1068 wrote to memory of 4900	1068	cmd.exe	95
PID 1068 wrote to memory of 4900	1068	cmd.exe	95
PID 1068 wrote to memory of 1368	1068	cmd.exe	96
PID 1068 wrote to memory of 1368	1068	cmd.exe	96
PID 1068 wrote to memory of 4284	1068	cmd.exe	97
PID 1068 wrote to memory of 4284	1068	cmd.exe	97
PID 1068 wrote to memory of 2340	1068	cmd.exe	98
PID 1068 wrote to memory of 2340	1068	cmd.exe	98
PID 1068 wrote to memory of 4440	1068	cmd.exe	99
PID 1068 wrote to memory of 4440	1068	cmd.exe	99
PID 1068 wrote to memory of 1896	1068	cmd.exe	100
PID 1068 wrote to memory of 1896	1068	cmd.exe	100
PID 1896 wrote to memory of 1692	1896	logout.exe	108
PID 1896 wrote to memory of 1692	1896	logout.exe	108
PID 1692 wrote to memory of 508	1692	csc.exe	110
PID 1692 wrote to memory of 508	1692	csc.exe	110
PID 1896 wrote to memory of 1596	1896	logout.exe	124
PID 1896 wrote to memory of 1596	1896	logout.exe	124
PID 1596 wrote to memory of 2224	1596	cmd.exe	126
PID 1596 wrote to memory of 2224	1596	cmd.exe	126
PID 1596 wrote to memory of 4268	1596	cmd.exe	127
PID 1596 wrote to memory of 4268	1596	cmd.exe	127
PID 1596 wrote to memory of 3368	1596	cmd.exe	132
PID 1596 wrote to memory of 3368	1596	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9bd8be1ddf1c3847995b0659911a6d5dba351504a2f752c0f4a8ae7d4b17b9a7.exe
"C:\Users\Admin\AppData\Local\Temp\9bd8be1ddf1c3847995b0659911a6d5dba351504a2f752c0f4a8ae7d4b17b9a7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:3740
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p873814631235942077761918182 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\system32\attrib.exe
    attrib +H "logout.exe"
    3⤵
    - Views/modifies file attributes
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\main\logout.exe
    "logout.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ejeipzdv\ejeipzdv.cmdline"
      4⤵
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C6A.tmp" "c:\Windows\System32\CSC50E5EC95193E43D2A75D17F178BEE1C.TMP"
        5⤵
        
        PID:508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EI9gf3HFJe.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2224
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4268
    - - C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe
        
        "C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\uk-UA\BackgroundTransferHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\BackgroundTransferHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\uk-UA\BackgroundTransferHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EI9gf3HFJe.bat

Filesize
205B

MD5
1138cadc1552275ef9124cc9d3e94e8d

SHA1
d91c31a0104eb95759044e169ab075cdcdb47ebb

SHA256
d03c05f1069732aa76c490bc407148ef8c2d4a54410c0e4dc0b368c2c4a6748f

SHA512
321dcd77e92d4b0f6b5af1d451e5f4cef1f92d3aac28cb8d1844fb0fd1a4623e2645f919e5d06530ab6ae3dd0eaa9cb33c4e7ca813f54963a0943a265160ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C6A.tmp

Filesize
1KB

MD5
9ea6b72fe6a240e8c7ff64006ea158e4

SHA1
929cf0a68b154d89b86661c4af6e1c40444611ae

SHA256
dd21bfdae528bfa44970e22997b4233eef2e5757c70d56fb15e830333300e5dc

SHA512
3c5b22694cc6eba5fb74b459429bb8600a2b345ef4ab991b181f9622de7226af33064660b08eb4d9c31138a9f44ac55b2fd8ce15d50a18776a05ab07003f4bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
a921cffce0c77c8ca370733a77b91175

SHA1
d7c563fa05a22278c0799d4223ed1a70c84453db

SHA256
b1c62bd9e82716443bcbc337ca6ab0b32469d45593ec03a4b88f863d7e988cdc

SHA512
3d2c730d8ebcb19de85c15b11663ced57e2ecdade7325d2eb689d354b097cd0f5586f4ec86ca4b1577cdf7324cd6b9c5527da4fecee110022626f7a8de2bab87

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
1.1MB

MD5
3f9bf3324d2c314b8142cc2db9765bdb

SHA1
b890cb5cfee10ad8924dc813eccc99d61736e2b9

SHA256
b31c7f881be74d0fce1f6650ded3d84af48e860c7b16464434f00c0bc1cdf041

SHA512
90e2ac563077fa751e301f1489a35ab48ac298e851ef44a768f8ce169811d7f8eba346556c270a432734f53bf8e1706b7129d2423f05d5f94bf51d87b5ef870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
1.1MB

MD5
e7576de0ea6cd429d2c21c02dbc4945c

SHA1
1bb7252fcc767405d81d512c009c5c849af016bd

SHA256
0fa0472ca78849ab046ce2855bf64ff1fce030293e77665fbebdda417bca7dc4

SHA512
5352f91c02d8432e372815bb72f6f960831ae7cab6c3a852bd7840873383b6fe94d7658d4435774bd614e9fb745415a68ce8664c89c9f1b8d2673e8318b6961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
1.1MB

MD5
0021b7806a3c4bc6f8f3b60c326d81c2

SHA1
06c6e3814990e040fb0f15f6fc33a719fa451e6d

SHA256
bbf0ae36ce30a214972803635e406a008086908e5d42488ee4e6c112682231ed

SHA512
a474aef0917813116470510c3955deb62aa3ec8aa9833c8d37e9b3c45f567dfbe127b0b30ec59097479af5268847642a0810c46316a66f27a45a207740825a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
1.1MB

MD5
e96600b19047eb3344013ab43a8e5fd6

SHA1
183eefa401e326d8a305ab3a1e698dde9a6b2e0b

SHA256
7b65d41f3c94d69248ea2534ac9e3698812bf5bbb7349c2c9b7ca5d6a1b5d21d

SHA512
da4c768fd2083716899c10f0767be6db392e180a22c82bf004f870f5ea8cd09968e357454952cd390cbcfa3c8fc7ba7b44160b77b6c746fd0faa891bc92cfe1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.1MB

MD5
aa62a8c5ecd0abcdbc69768bc3bac903

SHA1
e4999b7b5d64acd5610c9e450034190b1de40015

SHA256
526382dd952125d0522c374f356f13a32876169d062b9faa0ea14d9a557764b0

SHA512
1569fdefbf961b984aa91515cf92160c14c649f414d1a2413f1a1e9c912c4d2316ae2c464064b367b1a60fb3944935ce7e7b8f6bce7790cabf6ec91123c17e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
1.1MB

MD5
d0df69d809af150b898e7b19615a9af0

SHA1
41c867e823060c1e62ba2f0062dee3d039b591ae

SHA256
6098fec4cdb04752ab576b122a1341f242081e32fc8181de31a7068964256a24

SHA512
e42c402a9a81d842d1cd12154d7c6e3ac3afe8bb0eda7b1fe7c324dc1dd03300cbb7042b1eebec797aa6aa1c932ff04bbffe4c1c29907e5243dbe5656ccc0d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
1.1MB

MD5
61bce6e1554671187253ac663737f37a

SHA1
65126ee39e85f6fc52c7da304b9f57259267d74c

SHA256
d0587a78cc9f37057437de59bcd3de29f8a2e6e9d64e89ead4933bcedb638cda

SHA512
653c407df853cc96a99a5b5089790d6ade72de3b3cb1c648920f04daf0205501ea12483dd822d089defddc3fe06cafb318001b006db5c33a212a540d69a90ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
1.1MB

MD5
d9824cdfd33898aa204461d2db013af1

SHA1
8c76defe74f9f76902c16f444c59b198ac400966

SHA256
2362d0cfdf95d9a4e96db2e96bdac764fbb170fb8d91ab537a3ca12be033f486

SHA512
72064c063de378ca7d6daba2aa74c68502668e705b882f34018dff252be24c1f84d486083d60a365d3b42bf023df08ceb41dd5619a89d0fd9a66bd37fa837cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
2.6MB

MD5
9a5fc1d7a5cecd2f69629da41e3464a6

SHA1
c262ffb995608a5225d0f6b8ccdc9e2cec2dbfb9

SHA256
2f58ee3a95e35fb41826a180170c4480d0f541c142a58b1e165fbaeb5eb92511

SHA512
5b5caab5c9db18b2f3123c870de722eedb643c671eb40b6b76807d18b9bc6b6336d9659c0143f75edea1d17f33c5c555f8453152531d3a4ae6017b79160a3e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.6MB

MD5
a4910a0dce7a73a1cf57613cb994cf99

SHA1
d107e404679744ec1bbadac8e8a74e7ecaee4958

SHA256
5c2415128a8796c74d6aff1d92a8754949eaf94e8ef55f51921ee8f9c53427af

SHA512
3e8711667090e2d89356e0d3d76ce5a9d27020eae7429677b57c88be7de5ca9060477c5a4e8ef97cb53ada6648d8424f1c90fd8490e9cc16f8968a9c8d97daa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\logout.exe

Filesize
2.4MB

MD5
93e29f60a134f7f37cc1f9e2498733c0

SHA1
0d8d736bcc41565f26e4be8b9b88d8fe75c3077b

SHA256
23a717427e7d4ed0230d1b6a3b7d5f591d36f02bd99e3d89dc052c5249af6169

SHA512
f62e0b7003a4c5912dd697334e5f0ad0ecd579214c6adca57eb712525ca409d30930fad11bf047708d1e38cf62946751076fa28cc18ad0221974f723cce53ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
458B

MD5
66923c79f19992c3c5a3de1bc837a404

SHA1
e16adcab2625ddaad2ae295c5230ada0912d0154

SHA256
9f2437dc943d5c15a07dd4c485e83fae840a2c80a77206bb75d8cf1d30182159

SHA512
eaed4fbd2e8d51952f0e5172d5854802820d8f4b80823fd9d4aa69331bb0d979fb96d8cddf9601eb45289977ced3be519d798bea4d6fce7af7c51af864b6ec65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ejeipzdv\ejeipzdv.0.cs

Filesize
399B

MD5
91db0438ec6d0db26ff039aa7764e4f5

SHA1
ac619352d4a6c1d6cad66a9c2b23a7fc847b2f3a

SHA256
6cb5537dd3e76d095756b60445ad2192f849d522564036fd8797a3a5e3240583

SHA512
69b3b57c67d321541c4ccd146a3fa495fbd48de93a8d716235e7caf903d373d163701e77c2dd82bf257bc28a40ed587ba9b02f17197ced5bf76502f65f193986

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ejeipzdv\ejeipzdv.cmdline

Filesize
235B

MD5
c988e02d381332e30f0e4efa7e289bf0

SHA1
8345f1e255dac283972af2ae2ba041f3cd02fc92

SHA256
1eece67bd30d909a9ed77d1971f79c3bd5f8c139969721c22e19a8b6a4778d5b

SHA512
4b1d98117093365a94448e7c2c2dc95e9c89ff81e02f2236df0b06019ab3a318f3d5d128feafe07c3ef1c12f566dddeeca620eda8dbef012f8acb051fa18871d

Download Submit
\??\c:\Windows\System32\CSC50E5EC95193E43D2A75D17F178BEE1C.TMP

Filesize
1KB

MD5
64a19e5d1157172775ab054499587681

SHA1
1457a71d9856e9696dc4b9123e74cb5d2a142f96

SHA256
e4880390284e7d7b1621202f7babe20e057e13dd5784e4f5c662ab82c47ea520

SHA512
2915ed1a9f84dc5466d27754585c08dc46fcd696b54769ea6e936c555745862f1bfac5323e3be8865f1a1cefe4cdf03dcc19bf54010da9e737e46050fb0a3ecf

Download Submit
memory/1896-92-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/1896-113-0x000000001C050000-0x000000001C0AA000-memory.dmp

Filesize
360KB

Download
memory/1896-88-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/1896-94-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/1896-96-0x000000001B1D0000-0x000000001B1DE000-memory.dmp

Filesize
56KB

Download
memory/1896-98-0x000000001BF70000-0x000000001BF82000-memory.dmp

Filesize
72KB

Download
memory/1896-100-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/1896-102-0x000000001BFB0000-0x000000001BFC6000-memory.dmp

Filesize
88KB

Download
memory/1896-104-0x000000001BFD0000-0x000000001BFE2000-memory.dmp

Filesize
72KB

Download
memory/1896-105-0x000000001C520000-0x000000001CA48000-memory.dmp

Filesize
5.2MB

Download
memory/1896-107-0x000000001B230000-0x000000001B23E000-memory.dmp

Filesize
56KB

Download
memory/1896-109-0x000000001BF10000-0x000000001BF20000-memory.dmp

Filesize
64KB

Download
memory/1896-111-0x000000001BF90000-0x000000001BFA0000-memory.dmp

Filesize
64KB

Download
memory/1896-90-0x000000001B200000-0x000000001B218000-memory.dmp

Filesize
96KB

Download
memory/1896-115-0x000000001BFA0000-0x000000001BFAE000-memory.dmp

Filesize
56KB

Download
memory/1896-117-0x000000001BFF0000-0x000000001C000000-memory.dmp

Filesize
64KB

Download
memory/1896-119-0x000000001C000000-0x000000001C00E000-memory.dmp

Filesize
56KB

Download
memory/1896-121-0x000000001C030000-0x000000001C048000-memory.dmp

Filesize
96KB

Download
memory/1896-123-0x000000001C100000-0x000000001C14E000-memory.dmp

Filesize
312KB

Download
memory/1896-86-0x000000001BF20000-0x000000001BF70000-memory.dmp

Filesize
320KB

Download
memory/1896-85-0x000000001B1E0000-0x000000001B1FC000-memory.dmp

Filesize
112KB

Download
memory/1896-83-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

Filesize
56KB

Download
memory/1896-81-0x000000001B190000-0x000000001B1B6000-memory.dmp

Filesize
152KB

Download
memory/1896-79-0x00000000004A0000-0x000000000070E000-memory.dmp

Filesize
2.4MB

Download
memory/3368-176-0x000000001C6C0000-0x000000001C6C8000-memory.dmp

Filesize
32KB

Download