umbral | 87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Size

3.0MB
MD5

6850a8c541b310a2f4a5cd88352856a3
SHA1

372ff19e90cec46e37797b343fe6f537116b4aae
SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
SHA512

924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa
SSDEEP

49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

Score

10^/10

umbral xmrig xworm evasion execution miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1252172365647974441/4gQlLrJt2VtCn71LmsFuTifq4qn3SRnlOC0k8H5iaa8g2BlP4YuRr9feLLYTpIHpdtxd

Extracted

Family

xworm

Version

5.0

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223

Mutex

rVUJpGK3xHCE778M

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012324-27.dat	family_umbral
behavioral1/memory/2696-29-0x0000000000070000-0x00000000000B0000-memory.dmp	family_umbral

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2332-66-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2332-68-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2332-67-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2332-63-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2332-61-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Windows executables referencing non-Windows User-Agents 5 IoCs

resource	yara_rule
behavioral1/memory/2332-66-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2332-68-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2332-67-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2332-63-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2332-61-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables attemping to enumerate video devices using WMI 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012324-27.dat	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/2696-29-0x0000000000070000-0x00000000000B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing possible sandbox analysis VM names 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012324-27.dat	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
behavioral1/memory/2696-29-0x0000000000070000-0x00000000000B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Detects executables containing possible sandbox analysis VM usernames 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012324-27.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2696-29-0x0000000000070000-0x00000000000B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Detects executables containing possible sandbox system UUIDs 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012324-27.dat	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
behavioral1/memory/2696-29-0x0000000000070000-0x00000000000B0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral1/files/0x0023000000013522-39.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1324-47-0x0000000001040000-0x0000000001228000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral1/memory/848-160-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-162-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-163-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-161-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-159-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-165-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-169-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-168-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-167-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-166-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-158-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/848-175-0x0000000140000000-0x0000000140848000-memory.dmp	UPX

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/848-162-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/848-163-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/848-165-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/848-169-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/848-168-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/848-167-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/848-166-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/848-175-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe
1904	powershell.exe
1268	powershell.exe
1684	powershell.exe
2544	powershell.exe
2780	powershell.exe
2544	powershell.exe
1716	powershell.exe
2724	powershell.exe
2288	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0023000000013522-39.dat	net_reactor
behavioral1/memory/1324-47-0x0000000001040000-0x0000000001228000-memory.dmp	net_reactor

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe

Executes dropped EXE 8 IoCs

pid	Process
2728	Nursultan Setup.exe
2696	Запустить Nursultan.exe
1324	Nursultan.exe
1264	CrackLauncher.exe
476	Process not Found
2904	jqvljmboayxs.exe
2672	svchost.exe
2660	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
2508	Process not Found
2332	MSBuild.exe
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/848-160-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-157-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-162-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-163-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-161-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-159-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-165-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-169-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-168-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-167-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-166-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-158-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/848-175-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	MSBuild.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1836	powercfg.exe
1548	powercfg.exe
1332	powercfg.exe
2440	powercfg.exe
2188	powercfg.exe
1052	powercfg.exe
1524	powercfg.exe
1768	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 2332	1324	Nursultan.exe	44
PID 2904 set thread context of 1772	2904	jqvljmboayxs.exe	126
PID 2904 set thread context of 848	2904	jqvljmboayxs.exe	131

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1292	sc.exe
708	sc.exe
1920	sc.exe
2496	sc.exe
536	sc.exe
900	sc.exe
2088	sc.exe
2872	sc.exe
2468	sc.exe
444	sc.exe
1280	sc.exe
808	sc.exe
1680	sc.exe
1324	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1752	wmic.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90c8b7858bcada01	powershell.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347\DefaultIcon	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347\URL Protocol	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347\shell\open\command	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347\shell	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347\shell\open	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2368	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	powershell.exe
2780	powershell.exe
2544	powershell.exe
1904	powershell.exe
1656	powershell.exe
1704	powershell.exe
1256	powershell.exe
1952	powershell.exe
1268	powershell.exe
1716	powershell.exe
1684	powershell.exe
2724	powershell.exe
2332	MSBuild.exe
2728	Nursultan Setup.exe
2544	powershell.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2728	Nursultan Setup.exe
2904	jqvljmboayxs.exe
2288	powershell.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
2904	jqvljmboayxs.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2696	Запустить Nursultan.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2332	MSBuild.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeIncreaseQuotaPrivilege	884	wmic.exe
Token: SeSecurityPrivilege	884	wmic.exe
Token: SeTakeOwnershipPrivilege	884	wmic.exe
Token: SeLoadDriverPrivilege	884	wmic.exe
Token: SeSystemProfilePrivilege	884	wmic.exe
Token: SeSystemtimePrivilege	884	wmic.exe
Token: SeProfSingleProcessPrivilege	884	wmic.exe
Token: SeIncBasePriorityPrivilege	884	wmic.exe
Token: SeCreatePagefilePrivilege	884	wmic.exe
Token: SeBackupPrivilege	884	wmic.exe
Token: SeRestorePrivilege	884	wmic.exe
Token: SeShutdownPrivilege	884	wmic.exe
Token: SeDebugPrivilege	884	wmic.exe
Token: SeSystemEnvironmentPrivilege	884	wmic.exe
Token: SeRemoteShutdownPrivilege	884	wmic.exe
Token: SeUndockPrivilege	884	wmic.exe
Token: SeManageVolumePrivilege	884	wmic.exe
Token: 33	884	wmic.exe
Token: 34	884	wmic.exe
Token: 35	884	wmic.exe
Token: SeIncreaseQuotaPrivilege	884	wmic.exe
Token: SeSecurityPrivilege	884	wmic.exe
Token: SeTakeOwnershipPrivilege	884	wmic.exe
Token: SeLoadDriverPrivilege	884	wmic.exe
Token: SeSystemProfilePrivilege	884	wmic.exe
Token: SeSystemtimePrivilege	884	wmic.exe
Token: SeProfSingleProcessPrivilege	884	wmic.exe
Token: SeIncBasePriorityPrivilege	884	wmic.exe
Token: SeCreatePagefilePrivilege	884	wmic.exe
Token: SeBackupPrivilege	884	wmic.exe
Token: SeRestorePrivilege	884	wmic.exe
Token: SeShutdownPrivilege	884	wmic.exe
Token: SeDebugPrivilege	884	wmic.exe
Token: SeSystemEnvironmentPrivilege	884	wmic.exe
Token: SeRemoteShutdownPrivilege	884	wmic.exe
Token: SeUndockPrivilege	884	wmic.exe
Token: SeManageVolumePrivilege	884	wmic.exe
Token: 33	884	wmic.exe
Token: 34	884	wmic.exe
Token: 35	884	wmic.exe
Token: SeIncreaseQuotaPrivilege	1380	wmic.exe
Token: SeSecurityPrivilege	1380	wmic.exe
Token: SeTakeOwnershipPrivilege	1380	wmic.exe
Token: SeLoadDriverPrivilege	1380	wmic.exe
Token: SeSystemProfilePrivilege	1380	wmic.exe
Token: SeSystemtimePrivilege	1380	wmic.exe
Token: SeProfSingleProcessPrivilege	1380	wmic.exe
Token: SeIncBasePriorityPrivilege	1380	wmic.exe
Token: SeCreatePagefilePrivilege	1380	wmic.exe
Token: SeBackupPrivilege	1380	wmic.exe
Token: SeRestorePrivilege	1380	wmic.exe
Token: SeShutdownPrivilege	1380	wmic.exe
Token: SeDebugPrivilege	1380	wmic.exe
Token: SeSystemEnvironmentPrivilege	1380	wmic.exe
Token: SeRemoteShutdownPrivilege	1380	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2332	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1624	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	28
PID 2804 wrote to memory of 1624	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	28
PID 2804 wrote to memory of 1624	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	28
PID 2804 wrote to memory of 2728	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	30
PID 2804 wrote to memory of 2728	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	30
PID 2804 wrote to memory of 2728	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	30
PID 2804 wrote to memory of 2780	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	31
PID 2804 wrote to memory of 2780	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	31
PID 2804 wrote to memory of 2780	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	31
PID 2804 wrote to memory of 2696	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	33
PID 2804 wrote to memory of 2696	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	33
PID 2804 wrote to memory of 2696	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	33
PID 2804 wrote to memory of 2544	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	34
PID 2804 wrote to memory of 2544	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	34
PID 2804 wrote to memory of 2544	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	34
PID 2804 wrote to memory of 1324	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	36
PID 2804 wrote to memory of 1324	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	36
PID 2804 wrote to memory of 1324	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	36
PID 2804 wrote to memory of 1324	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	36
PID 2804 wrote to memory of 1264	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	37
PID 2804 wrote to memory of 1264	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	37
PID 2804 wrote to memory of 1264	2804	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	37
PID 1264 wrote to memory of 2328	1264	CrackLauncher.exe	39
PID 1264 wrote to memory of 2328	1264	CrackLauncher.exe	39
PID 1264 wrote to memory of 2328	1264	CrackLauncher.exe	39
PID 2696 wrote to memory of 2216	2696	Запустить Nursultan.exe	40
PID 2696 wrote to memory of 2216	2696	Запустить Nursultan.exe	40
PID 2696 wrote to memory of 2216	2696	Запустить Nursultan.exe	40
PID 2696 wrote to memory of 1904	2696	Запустить Nursultan.exe	42
PID 2696 wrote to memory of 1904	2696	Запустить Nursultan.exe	42
PID 2696 wrote to memory of 1904	2696	Запустить Nursultan.exe	42
PID 2696 wrote to memory of 1656	2696	Запустить Nursultan.exe	45
PID 2696 wrote to memory of 1656	2696	Запустить Nursultan.exe	45
PID 2696 wrote to memory of 1656	2696	Запустить Nursultan.exe	45
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 1324 wrote to memory of 2332	1324	Nursultan.exe	44
PID 2696 wrote to memory of 1704	2696	Запустить Nursultan.exe	47
PID 2696 wrote to memory of 1704	2696	Запустить Nursultan.exe	47
PID 2696 wrote to memory of 1704	2696	Запустить Nursultan.exe	47
PID 2696 wrote to memory of 1256	2696	Запустить Nursultan.exe	49
PID 2696 wrote to memory of 1256	2696	Запустить Nursultan.exe	49
PID 2696 wrote to memory of 1256	2696	Запустить Nursultan.exe	49
PID 2696 wrote to memory of 884	2696	Запустить Nursultan.exe	51
PID 2696 wrote to memory of 884	2696	Запустить Nursultan.exe	51
PID 2696 wrote to memory of 884	2696	Запустить Nursultan.exe	51
PID 2696 wrote to memory of 1380	2696	Запустить Nursultan.exe	54
PID 2696 wrote to memory of 1380	2696	Запустить Nursultan.exe	54
PID 2696 wrote to memory of 1380	2696	Запустить Nursultan.exe	54
PID 2696 wrote to memory of 952	2696	Запустить Nursultan.exe	56
PID 2696 wrote to memory of 952	2696	Запустить Nursultan.exe	56
PID 2696 wrote to memory of 952	2696	Запустить Nursultan.exe	56
PID 2696 wrote to memory of 1952	2696	Запустить Nursultan.exe	58
PID 2696 wrote to memory of 1952	2696	Запустить Nursultan.exe	58
PID 2696 wrote to memory of 1952	2696	Запустить Nursultan.exe	58
PID 2696 wrote to memory of 1752	2696	Запустить Nursultan.exe	60
PID 2696 wrote to memory of 1752	2696	Запустить Nursultan.exe	60
PID 2696 wrote to memory of 1752	2696	Запустить Nursultan.exe	60

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2580
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1396
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1280
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1920
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:808
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2496
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1332
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2440
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2188
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1052
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:1324
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1292
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Views/modifies file attributes
    PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1952
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1752
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
    3⤵
    PID:612
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2724
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2424
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2328

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2904
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:872
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:840
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:536
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:900
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2468
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:444
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:708
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1524
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1768
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1836
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1548
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1772
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848

C:\Windows\system32\taskeng.exe
taskeng.exe {890CA7D4-EC25-4A9E-8E64-F5F9EE524DA3} S-1-5-21-1340930862-1405011213-2821322012-1000:TICCAUTD\Admin:Interactive:[1]
1⤵
PID:2752
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
1.9MB

MD5
0df0a039309525fd27e1b5e056c92b6a

SHA1
7551c27a9123cb56c4218647966a753794ac2961

SHA256
a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f

SHA512
2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

Filesize
229KB

MD5
f0b33cc162bfd36a995b8c90cd8ebff1

SHA1
ca1ddef08d47fc15a44a2d651b61e3decce8ebc6

SHA256
6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0

SHA512
1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d6a8fc2b00b792c50548812a6e06fc0

SHA1
c0a004b46a8a122b8008c77c631c0e91f7d1eb47

SHA256
f790f890d0af5c2f3ccf2be8dcca5813b3602e0d06b333dfabce3ed4fcb07e84

SHA512
689801f3ace1dc807be7db9a2b648127de32f88543800593f8e2bcdf3e94df1e805a13c8d81c7fbd4afa6c2443d142116e83ddf8f89d2eedc84cc48f13f06262

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a64d053e113d59032dfd10ca49e0327e

SHA1
4d63d97acc794b792876831fe8d680ade126bd41

SHA256
9afebd158871c123635ce5b28c2bb7e68418711c5200f47a4e7f5ab09e2fd3b2

SHA512
fe0712512cb15af1a9400fc7e995256d410087c2d7eb8ca75bc1c283076a25c39855d5cb8ae87659b710bee1b08926461a1ec76c3a563662cad5e53ab23e2865

Download Submit
\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

Filesize
102KB

MD5
c137c5f5287d73a94d55bc18df238303

SHA1
95b4b01775bea14feaaa462c98d969eb81696d2c

SHA256
d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

SHA512
ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

Download Submit
\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
2.5MB

MD5
a1d8db2a1ff742bc73dd5617083f5fde

SHA1
957b182d82efb40a36099dd886ad581977880838

SHA256
d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a

SHA512
0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/848-167-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-160-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-166-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-158-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-175-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-164-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/848-157-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-168-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-162-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-169-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-165-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-159-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-161-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/848-163-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1324-56-0x0000000005970000-0x0000000005A26000-memory.dmp

Filesize
728KB

Download
memory/1324-47-0x0000000001040000-0x0000000001228000-memory.dmp

Filesize
1.9MB

Download
memory/1624-7-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1624-6-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/1624-8-0x00000000021A0000-0x00000000021A8000-memory.dmp

Filesize
32KB

Download
memory/1656-74-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1656-75-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1704-90-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/1704-91-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1772-148-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-155-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-153-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-151-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-150-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1772-149-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1904-53-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1904-54-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/1952-107-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2288-146-0x0000000019DE0000-0x000000001A0C2000-memory.dmp

Filesize
2.9MB

Download
memory/2288-147-0x00000000011D0000-0x00000000011D8000-memory.dmp

Filesize
32KB

Download
memory/2332-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-65-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2544-140-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2544-139-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2672-173-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/2696-29-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/2780-23-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2780-22-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2804-0-0x000007FEF4D53000-0x000007FEF4D54000-memory.dmp

Filesize
4KB

Download
memory/2804-1-0x000000013FA80000-0x000000013FD80000-memory.dmp

Filesize
3.0MB

Download