35240b3624b0304d9a7408555ada094a60c648f19ab1eeb5914cf0c3223c12f2

Analysis

max time kernel
359s
max time network
360s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

g3ttroll1ed.exe
Size

4.5MB
MD5

33241a3aadf06404014353cfe3a47bac
SHA1

a0bcbb2e7fde364d8f997b95303cd0c3b2e6b9fb
SHA256

05e06e0f9ea0b245aff5f7aadeb69cce15e162effd29b4eec21bac3418ed414b
SHA512

38e72ba8a3876b6d02606183ef671a566a1ce17f4d4923a4ca8a785b60b7240a0c7e29622dea05d3df176ef316a2712a59eba11d37234b4c34aab64dc98c773d
SSDEEP

98304:/Qf3s64R9ybzUcwti78OqJ7TPBF3ZlHHgkWJ0P39qXSaDv:OzUcwti7TQlF3ZxxWJSUnDv

Score

9^/10

spyware stealer upx

Malware Config

Signatures

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral3/memory/2644-1-0x0000000000170000-0x00000000005EE000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
behavioral3/memory/2480-11-0x0000000000E40000-0x00000000012BA000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2644-1-0x0000000000170000-0x00000000005EE000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
behavioral3/memory/2480-11-0x0000000000E40000-0x00000000012BA000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\bfsvc.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
behavioral3/memory/1772-132-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral3/memory/1936-128-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

RtkBtManServ.exebfsvc.exesnuvcdsm.exewinhlp32.exesplwow64.exehh.exexwizard.exe

pid process

2480 RtkBtManServ.exe
3068 bfsvc.exe
3024 snuvcdsm.exe
1936 winhlp32.exe
1772 splwow64.exe
620 hh.exe
3032 xwizard.exe
Loads dropped DLL 12 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

pid process

2796 cmd.exe
2796 cmd.exe
2180 cmd.exe
2180 cmd.exe
2416 cmd.exe
2416 cmd.exe
2416 cmd.exe
2416 cmd.exe
2416 cmd.exe
2416 cmd.exe
1176 cmd.exe
1176 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2480	RtkBtManServ.exe
3068	bfsvc.exe
3024	snuvcdsm.exe
1936	winhlp32.exe
1772	splwow64.exe
620	hh.exe
3032	xwizard.exe

pid	process
2796	cmd.exe
2796	cmd.exe
2180	cmd.exe
2180	cmd.exe
2416	cmd.exe
2416	cmd.exe
2416	cmd.exe
2416	cmd.exe
2416	cmd.exe
2416	cmd.exe
1176	cmd.exe
1176	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
behavioral3/memory/2416-115-0x0000000000170000-0x00000000001CB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
behavioral3/memory/1772-132-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral3/memory/1936-128-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

13 discord.com
14 discord.com
6 discord.com
7 discord.com
10 discord.com
11 discord.com
12 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipecho.net
5 ipecho.net
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
13	discord.com
14	discord.com
6	discord.com
7	discord.com
10	discord.com
11	discord.com
12	discord.com

flow	ioc
4	ipecho.net
5	ipecho.net

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RtkBtManServ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RtkBtManServ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	RtkBtManServ.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

snuvcdsm.exehh.exexwizard.exe

pid process

3024 snuvcdsm.exe
620 hh.exe
3032 xwizard.exe
3032 xwizard.exe
3032 xwizard.exe
3032 xwizard.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RtkBtManServ.exe

description pid process

Token: SeDebugPrivilege 2480 RtkBtManServ.exe

pid	process
3024	snuvcdsm.exe
620	hh.exe
3032	xwizard.exe
3032	xwizard.exe
3032	xwizard.exe
3032	xwizard.exe

description	pid	process
Token: SeDebugPrivilege	2480	RtkBtManServ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

g3ttroll1ed.exeRtkBtManServ.exeWScript.execmd.exeWScript.execmd.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 2644 wrote to memory of 2480	2644	g3ttroll1ed.exe	RtkBtManServ.exe
PID 2644 wrote to memory of 2480	2644	g3ttroll1ed.exe	RtkBtManServ.exe
PID 2644 wrote to memory of 2480	2644	g3ttroll1ed.exe	RtkBtManServ.exe
PID 2644 wrote to memory of 2480	2644	g3ttroll1ed.exe	RtkBtManServ.exe
PID 2480 wrote to memory of 1720	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1720	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1720	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1720	2480	RtkBtManServ.exe	WScript.exe
PID 1720 wrote to memory of 2796	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 2796	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 2796	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 2796	1720	WScript.exe	cmd.exe
PID 2796 wrote to memory of 3068	2796	cmd.exe	bfsvc.exe
PID 2796 wrote to memory of 3068	2796	cmd.exe	bfsvc.exe
PID 2796 wrote to memory of 3068	2796	cmd.exe	bfsvc.exe
PID 2796 wrote to memory of 3068	2796	cmd.exe	bfsvc.exe
PID 2480 wrote to memory of 1104	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1104	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1104	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1104	2480	RtkBtManServ.exe	WScript.exe
PID 1104 wrote to memory of 2180	1104	WScript.exe	cmd.exe
PID 1104 wrote to memory of 2180	1104	WScript.exe	cmd.exe
PID 1104 wrote to memory of 2180	1104	WScript.exe	cmd.exe
PID 1104 wrote to memory of 2180	1104	WScript.exe	cmd.exe
PID 2180 wrote to memory of 3024	2180	cmd.exe	snuvcdsm.exe
PID 2180 wrote to memory of 3024	2180	cmd.exe	snuvcdsm.exe
PID 2180 wrote to memory of 3024	2180	cmd.exe	snuvcdsm.exe
PID 2180 wrote to memory of 3024	2180	cmd.exe	snuvcdsm.exe
PID 2480 wrote to memory of 592	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 592	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 592	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 592	2480	RtkBtManServ.exe	WScript.exe
PID 592 wrote to memory of 2416	592	WScript.exe	cmd.exe
PID 592 wrote to memory of 2416	592	WScript.exe	cmd.exe
PID 592 wrote to memory of 2416	592	WScript.exe	cmd.exe
PID 592 wrote to memory of 2416	592	WScript.exe	cmd.exe
PID 2416 wrote to memory of 1936	2416	cmd.exe	winhlp32.exe
PID 2416 wrote to memory of 1936	2416	cmd.exe	winhlp32.exe
PID 2416 wrote to memory of 1936	2416	cmd.exe	winhlp32.exe
PID 2416 wrote to memory of 1936	2416	cmd.exe	winhlp32.exe
PID 2416 wrote to memory of 1772	2416	cmd.exe	splwow64.exe
PID 2416 wrote to memory of 1772	2416	cmd.exe	splwow64.exe
PID 2416 wrote to memory of 1772	2416	cmd.exe	splwow64.exe
PID 2416 wrote to memory of 1772	2416	cmd.exe	splwow64.exe
PID 2416 wrote to memory of 620	2416	cmd.exe	hh.exe
PID 2416 wrote to memory of 620	2416	cmd.exe	hh.exe
PID 2416 wrote to memory of 620	2416	cmd.exe	hh.exe
PID 2416 wrote to memory of 620	2416	cmd.exe	hh.exe
PID 2480 wrote to memory of 1668	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1668	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1668	2480	RtkBtManServ.exe	WScript.exe
PID 2480 wrote to memory of 1668	2480	RtkBtManServ.exe	WScript.exe
PID 1668 wrote to memory of 1176	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 1176	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 1176	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 1176	1668	WScript.exe	cmd.exe
PID 1176 wrote to memory of 3032	1176	cmd.exe	xwizard.exe
PID 1176 wrote to memory of 3032	1176	cmd.exe	xwizard.exe
PID 1176 wrote to memory of 3032	1176	cmd.exe	xwizard.exe
PID 1176 wrote to memory of 3032	1176	cmd.exe	xwizard.exe
PID 2480 wrote to memory of 2104	2480	RtkBtManServ.exe	cmd.exe
PID 2480 wrote to memory of 2104	2480	RtkBtManServ.exe	cmd.exe
PID 2480 wrote to memory of 2104	2480	RtkBtManServ.exe	cmd.exe
PID 2480 wrote to memory of 2104	2480	RtkBtManServ.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\g3ttroll1ed.exe
"C:\Users\Admin\AppData\Local\Temp\g3ttroll1ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
  "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs60mxdU+lA2BbnUyqaxTaH4Jr31I/RkZECDvIySFqYbrtzscpDOyatJnxFkkqCDIcWouirC6gPXky74iFLNUGrji+iiHogYYHxmZt2qGHNUOVLDC/ED+Aoofqy96tUDWx8=
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
        5⤵
        Executes dropped EXE
        
        PID:3068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        5⤵
        Executes dropped EXE
        
        PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        5⤵
        Executes dropped EXE
        
        PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:620
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2906.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

Filesize
420B

MD5
51c9e864182413f35b76d42d435df261

SHA1
dc5ec227ab38093927a119b4d646c3811c3553cd

SHA256
e6c5c674268a865db840afd3764cd498bdfd8fe677c5193d662abbe64d68975b

SHA512
b36e683b6487bfbf4e512214343128e57a52eb71356345caba70a98dc5b0bad764da842d08443d3b47bd3dddbe24af146c561ae480038c95f124a51565e3fd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
71B

MD5
91128da441ad667b8c54ebeadeca7525

SHA1
24b5c77fb68db64cba27c338e4373a455111a8cc

SHA256
50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

SHA512
bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
70B

MD5
d90accebb3f79fe65cd938425c07b0ae

SHA1
9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

SHA256
aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

SHA512
44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs

Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config

Filesize
107B

MD5
5cf0b95f68c3304427f858db1cdde895

SHA1
a0c5c3872307e9497f8868b9b8b956b9736a9cdf

SHA256
353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa

SHA512
5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe

Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe

Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\whysosad

Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

Filesize
1KB

MD5
ae8eed5a6b1470aec0e7fece8b0669ef

SHA1
ca0e896f90c38f3a8bc679ea14c808726d8ef730

SHA256
3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e

SHA512
e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

Download Submit
\Users\Admin\AppData\Local\Temp\bfsvc.exe

Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
memory/1772-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1936-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2416-115-0x0000000000170000-0x00000000001CB000-memory.dmp

Filesize
364KB

Download
memory/2480-13-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-42-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2480-46-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/2480-45-0x0000000000D20000-0x0000000000D5C000-memory.dmp

Filesize
240KB

Download
memory/2480-44-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/2480-43-0x00000000008A0000-0x00000000008BA000-memory.dmp

Filesize
104KB

Download
memory/2480-48-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2480-10-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2480-80-0x0000000005200000-0x0000000005208000-memory.dmp

Filesize
32KB

Download
memory/2480-47-0x0000000004770000-0x0000000004812000-memory.dmp

Filesize
648KB

Download
memory/2480-131-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2480-136-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-79-0x0000000004ED0000-0x0000000004ED8000-memory.dmp

Filesize
32KB

Download
memory/2480-181-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-12-0x00000000046C0000-0x0000000004770000-memory.dmp

Filesize
704KB

Download
memory/2480-11-0x0000000000E40000-0x00000000012BA000-memory.dmp

Filesize
4.5MB

Download
memory/2644-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000000170000-0x00000000005EE000-memory.dmp

Filesize
4.5MB

Download
memory/2644-124-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download