Analysis
-
max time kernel
46s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
14-07-2024 17:31
General
-
Target
https://www.dosyaupload.com/3tC5q/12312.exe
Malware Config
Signatures
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 61 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 1 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 1 IoCs
-
NTFS ADS 1 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 46 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dosyaupload.com/3tC5q/12312.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4b2d46f8,0x7fff4b2d4708,0x7fff4b2d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6016 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,2130595658575984393,14195202795747487130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\12312.exe"C:\Users\Admin\Downloads\12312.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\12312.exe"C:\Users\Admin\Downloads\12312.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""4⤵
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "ExelaUpdateService"5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1984"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19845⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵
-
C:\Windows\system32\chcp.comchcp6⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵
-
C:\Windows\system32\chcp.comchcp6⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"4⤵
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
C:\Windows\system32\HOSTNAME.EXEhostname5⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername5⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\net.exenet user5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user6⤵
-
-
-
C:\Windows\system32\query.exequery user5⤵
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"6⤵
-
-
-
C:\Windows\system32\net.exenet localgroup5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup6⤵
-
-
-
C:\Windows\system32\net.exenet localgroup administrators5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵
-
-
-
C:\Windows\system32\net.exenet user guest5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest6⤵
-
-
-
C:\Windows\system32\net.exenet user administrator5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator6⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command5⤵
-
-
C:\Windows\system32\tasklist.exetasklist /svc5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
-
C:\Windows\system32\ROUTE.EXEroute print5⤵
-
-
C:\Windows\system32\ARP.EXEarp -a5⤵
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano5⤵
- Gathers network information
-
-
C:\Windows\system32\sc.exesc query type= service state= all5⤵
- Launches sc.exe
-
-
C:\Windows\system32\netsh.exenetsh firewall show state5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh firewall show config5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\12312.exe"C:\Users\Admin\Downloads\12312.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\12312.exe"C:\Users\Admin\Downloads\12312.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c00b0d6e0f836dfa596c6df9d3b2f8f2
SHA169ad27d9b4502630728f98917f67307e9dd12a30
SHA256578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1
SHA5120e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da
-
Filesize
152B
MD554f1b76300ce15e44e5cc1a3947f5ca9
SHA1c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7
SHA25643dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24
SHA512ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a
-
Filesize
20KB
MD5261fde3726e10ce16c8c064a911b063f
SHA1aa00c171e26c3adfe81ce92ff0d69a9ae2221819
SHA256752c5bddc58e3f7d6670d7c92c5731e627f963a7c44ff1c2e985129b5f4333f7
SHA5121cee8c21fc32320d056f2cbd9300c72204907297000b3d3c5f2c1d1124e46db29d23d7d0e13a8fc1b1b4802f6c15bbb24c402439a4c106bb00d98dbe5ed3a9fd
-
Filesize
1KB
MD5343edb4e9488330634411c3fbc0f3772
SHA1887a9cc741f92e42fab137caf2cb4632e526be15
SHA256d46dbe6bb22687c6a6b2a121de60e41f9c6102bb13992124cbb5dea7d1978a86
SHA512bd175a5b2183e3358af0126f8102c49d7c79bed739595a786747e9c130bba0bfad459cecf723b7de4ddd42ad946db3e29307df10ff2297a2c9b4799999e274c0
-
Filesize
3KB
MD5977a9ef6262bdb16bd602b569c443c04
SHA1fa6b23ec47e4e065db66ee8392b80fcec396ca34
SHA25629f4104cf0cb9b1af104a3d482b72ae6993928bbb8d76f22b23700db1057e61a
SHA512aca3c0906ddbbb145551694c8ec35ea7eeff5de93338b7cbc9372927e78964ccbe4240b096934f05fcb38d6b3111fae979fff3ad7dcf2fe452c15f22a621acb2
-
Filesize
6KB
MD530bd8506daaae70a06bf979cbfb0ccea
SHA195f0e2bf10214a65ccc8609d3f0e9cf8ae4a0e7c
SHA2569e28dfd873644e4691693963014ba7c32d93e58d727bb5d389d5ed1846945b39
SHA512f0ee9ccd4ae0b6ab0df81defb920cd98a7fca8c63bd40b7fb5a1ab959741ccd25ab61e7e6b0016698b7a16f595c1e2a2b8d8db7753a90ab7674dd04636ef9434
-
Filesize
8KB
MD568180927b0b090b4d5ec11e43e73e72a
SHA119fd6deaff37809f130406232573531a2a3a7047
SHA25684da2c5f178f28d5163b88419fe5b16299374b804e1ffa174605d1870f8f76d5
SHA512fe570182062c46a6d2aeea5098bd768a44d58fcebf7be5a583b6152c576e0181afa945383829e22fae5170ce2febd3880814abff34f34ac40b16b143ef39fe7e
-
Filesize
8KB
MD51d13d8f192869ec0b8903316712e48ad
SHA17dcdf3ee055f1eded2c6faf32a96955bc1af0d58
SHA256b6c4ea01ed0b47a982138bc7f2ed251dcb1cbb7811c8f7c0af837254b77ff9aa
SHA51242dc5f490c9a761f99a2c865e7cfe622029795f2b863b1b2540172c48a12dc96cc7be9b592bee9950d6457981bb60b1af53fcf6aad5f945af81ffbd470f18c2e
-
Filesize
8KB
MD5cc98bb4e11d17cf846163a972c072045
SHA1b0a4a5c0f481ac637931ec41d257b303260e52c2
SHA256443afcbc6197cd9be99d010f4f287ae2b6472fcee70cd5c748faae1ea5c6dc84
SHA512fe8f761f2a9791bebfc9430052826a99728583ac775da06beca212dca1285d00033f24b5c0238b051af7b1c3df289a2cd45c4fe51940213ded4a1d31bcc6413b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD522ab4b9301adeba29b20a3a0ad30c7ca
SHA1851db2352378ffec68da1992367b10f73e5f6382
SHA25609148f71b03cc80ab3b867e6ae2bc145b0dca24f203bde5e5dc4703afa54bcd9
SHA5127b06bf415c16f33f3786c66eb5cf2e9d81b56f6089cec192d499d94677bd321281c50bee7c5c7269466368ed1d70d6638816d53104b634ae093a2b429336e8e0
-
Filesize
11KB
MD57c2892112f2628270f00df2b8c3f6796
SHA10a127c5ffe398440ed24c60f915da798473c6d71
SHA256358b163cb5a726939a12bfd8a9bf6f9629e25a0c99621de8a2b963fc00706345
SHA512fe2fe897e8a0342da7b94dbc792cbd5bac0f836741e8e7d698daebe82f3d713eb526d417738181dc45bb271aac76c4359690119919955198e4b53e55b9866523
-
Filesize
124KB
MD5c0b85c272096e28aa9d97ff581af3bc7
SHA10826bb1cb4ef49080b040cf9c98a227567aedaa5
SHA256a601851d901c4b09409c0c593bbbab241f63892ea82618dff268fc7a0b78750e
SHA512635f2a215617800816dd5ea62e4f50dc6448cb239961ef45c0c8bf4a22f57bf8910ae068b9eb22b5164f7d77bf17a4c89f7987dd12581d08f061b45a37ff1e77
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
35KB
MD5021e66464fe95e60f9cf4169fb1c32a7
SHA1ec9d69871aab3d739b6451f6fb3f7cf2b7693a5c
SHA2565806f8f55e9634f09f5cf8ac6dd8f2fd19101c748f0f4b9cfab111068616f05b
SHA512ce9602902015cd0a458fe73d9b5474bdf36b3bbdf6ae4231a9e319663edac5ece5cab2ebf0744cff83caf0ccdd91cba1ee869ae808a6b18271be2701fbd709c1
-
Filesize
47KB
MD59711532245f60f4a23eccf7ccac3621e
SHA16918ff56c1399532ef02cec3b22a18ffee20e1b2
SHA2568da059307d40bcc3e58d991e9ca1e2fc081b8dd83e14d608b8f6e0c0a14a0da5
SHA5122ed9aadbbd5c2eed7f81e97a5c0ba6efce6d73abcea43011b459c0a656c4c3b3acfa8fee7d3ca3fa2192356b6565099256a366286adb51000ac668023c7e36f2
-
Filesize
71KB
MD5641e49ce0c4fa963d347fbf915aabdbe
SHA11351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10
SHA2561c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906
SHA512766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616
-
Filesize
58KB
MD51a58dc0b5a50bddb05d0460150609fd1
SHA175044b6ada8f3480e6af1e47fe6521c7d0ebed16
SHA2568186961915fdba316711fbe6154edc59f814b38df5b4e46d71312652bdb2813a
SHA5120d915d407a80e8f703b5b85470c695cefb3d0b5f91537b367968625a4756667c0911b2ad6c168c224a3ae9facb44b20e629ee7f9f413b684dcaf98001cfd5cb3
-
Filesize
106KB
MD5dd2894f65c817ddb3b7126011e83d80b
SHA1a8c0575717b5b13f35e9a734789c79ccec2b1eb9
SHA2567034c2c953606fb58c62e859e8ff439ea2df9c6000c0ef8a365901308d046635
SHA5129e32e87b4c627d0503a69169067e04711b8045f5060a7240e83c49dbe8932bdb0636330e2212ca381f99105db0d24687291c5105be53dd73867e14e97119f86c
-
Filesize
35KB
MD53757e7b512c4c723c926704e0be7c7f7
SHA1a5627d21817363e15ce11208d3ec0f417e286553
SHA256a78348ab8177b0f19d9ad1ce377fef42847c076faa80044a5da58f3e6439b413
SHA512693417c74c6875f0d9e5aec9c721b01f55797b126cdd2c0412d6304fcb4c3421cc48174d0c0149999d3229161c581f96e3cff09357f3277bf4456d1013ad2b49
-
Filesize
85KB
MD55a8808031ef92fb5fc3126c13e1c6581
SHA1a448355972d23805401b68ac0acbcc72029e5419
SHA25634cca698a21b6220368234788b4451c757ba58729dd13e9db55b6711027589f4
SHA512f15b3e33f495ed3462ac5fe114b9640067928aad9ef70b51f08666f05f0a2444141d289bd46028f4eb4d3b6101e87c3c720886ca8c463a91e53c94d4329e8a1f
-
Filesize
26KB
MD52d7a90548342971007c71df865035277
SHA1ebd940079f4b3971b02c9d688ccb4fa555badde5
SHA256c9b3ac4e1f1814b7d979592f94d66007c487c69ba80f5a218319439115f0e8ae
SHA512112fcd6b90c78a2b741a5b32dad1ce28432bbb9cbc170bbd4c1d56cf4ab024f5ada00af809c887b1fbeb3ed3054635638c75c6b279e8ce1ba810d72e31ca27c0
-
Filesize
31KB
MD54ab2d8f0651fae7ae9b7c97dc4dc6101
SHA16eb60d76e1f49887c5748b8f46b370c9132caa5f
SHA256e3746290cbb81127cbb14cf91da96f6270733d2dc9458218b4f9cb5bd36199af
SHA512808b304163d43865fb317a2543ca406a7b57d1fddbab54d1349ee82a7b5360ac5b72bc34c7e2cdf0f4584afeb22389624568b34f7b523cfb836f2e040abc617f
-
Filesize
30KB
MD5d8c1b81bbc125b6ad1f48a172181336e
SHA13ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772
-
Filesize
42KB
MD5a399c9c68d60ff43517969a0373484bb
SHA1cc66e36258ccdcc6342f0900c2059e0d84191629
SHA256828a04c15d4700b3d6fdb3e03a826c08a097600750e53e8417707b4530bd5834
SHA5121ec0cb9ee3921d8bc17bc00c68a42a929c116263bafb1da19fec1b48cc0b7eb3ba271bce327fcbf43aa6c6bd3d75b82cde637d6265a5642a5a79eca4aa51d6ee
-
Filesize
50KB
MD57f32dc5378d3ecb01a9b5573ce85860a
SHA1ac5a2a0f375e0c5d5b57d53b851eef11c54e5cc8
SHA25651321be399f0a761f8e59825f61717a93998a9c8797edbcce553a20479832bd5
SHA512e4e857419c91f19bee36088f069089eefb527162713c43cb6e536445975f40fa9b7617d09a359c2daf7990628950fcac21074f161fc049d9434440dd7ed00862
-
Filesize
62KB
MD53ba00e92bb341d31a62159845b6a66bb
SHA157eaa1fb60d9c02b7f96b49305199c04e336a411
SHA25693c2915275df8fd65aa3d69ac96c80266fdab107d50714b685d7f2d4cf122c66
SHA5122c22116b7e21b6fafb038d56aeaf4e58b0606ff341cb2f31d7b3544bb9a4c2f3feda44a2fe3b9398812d5648df89101ae7ae7626e0271c54ad057fd1bd0b70b6
-
Filesize
24KB
MD5b68c98113c8e7e83af56ba98ff3ac84a
SHA1448938564559570b269e05e745d9c52ecda37154
SHA256990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2
SHA51233c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8
-
Filesize
859KB
MD5483d9675ef53a13327e7dfc7d09f23fe
SHA12378f1db6292cd8dc4ad95763a42ad49aeb11337
SHA25670c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e
SHA512f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5
-
Filesize
1.1MB
MD5bc7992a363713cdbdaabcef122b3024e
SHA1ebb3447ec249fb6cb099c2c307465aedaa7b4119
SHA256438caa81611797f8185be0657d36270bdd1c0b83414042421c48d4bbc58173ae
SHA51278887b40cfad5d0f9136cc6e8dcd1e9e105b7b8405f7f06e7abf84e8d1a85a0aa327ec96e505ab14c9f98c4304b6286e461bc182fcf390dba36387091b4ff357
-
Filesize
23KB
MD5d50ebf567149ead9d88933561cb87d09
SHA1171df40e4187ebbfdf9aa1d76a33f769fb8a35ed
SHA2566aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af
SHA5127bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de
-
Filesize
204KB
MD54ea5db623558b462d54d95b91265ae88
SHA1d3a60c24e6ebabee2e43611a8d97672ef5a0fcaf
SHA2566abff5f7de8d524dafb0b7ba0543f5774c1efcbcbe7d61f7cce5941c1d1274c1
SHA512a90f0909bb1e2528fad0fc5e48f0cabbbe3eed62a3673be7a10751e6c396fce043a8a105d967c78858659a4ea169e8811d58a0ba01ced5dbd9d78a844f247e8b
-
Filesize
87KB
MD5452a36a103dd499a19cb6fe52e037d9f
SHA12575ef57581eb1b34481e35df31f86900b8d3634
SHA256c4986479a7e3a026ccb66246fea6caee59365d680a9d04231600294f870d7ace
SHA5128e2c76eb1030c85bb6d234ce3507f3cf230c6e8a2d9ab661370b48e2d28f56616e642ab0e02d5280141157a27213efe970b189183974901b47fda38dc530cc0d
-
Filesize
64KB
MD5fd4a39e7c1f7f07cf635145a2af0dc3a
SHA105292ba14acc978bb195818499a294028ab644bd
SHA256dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA51237d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643
-
Filesize
1.4MB
MD5b9e7c60cf489b8911885c9431d59dc7d
SHA11d1515084c607b166bbba717bae1f92407bce98c
SHA256f41e60314305e70412ebae0f5ca944c4dec3c52101583948456f310ac8d0e5cf
SHA5120783e57fbd4e3c75014cb747bc04c749c6ffce571eea5e75cbea35a65a4922caf4e904cf71745b80ef97dddb398791207457945c8f0c0a4aa27c3e7ba967a81f
-
Filesize
25KB
MD52de5ffb36a347c49789c35b322ba94f3
SHA13a5662ec40abd74d91ed46738ad7b7938f9958a0
SHA25695629553202ffdb15cd8b5263a085a743d05dd93e154b338204f8ac5becfc49b
SHA5124bc65f00176ffb0c64a2e7bdff111a91e242fcdc78b2a842f97f88bd3c3f4b408844c1f4a11a154a331933a3379d40ff4a690257bdb80a426021140f05f817d1
-
Filesize
622KB
MD5a1d20ae7e9808bc2aaa13c4e25022913
SHA17acaf99752e58831494c9bfcbb26668bf24e4250
SHA256354ca08eaa7ceb6ab4e1739644707ccaab85992aed791205eff3c2034f197971
SHA5122517e2a29edd0bf32985bf402288a57837f68b369227aed1805012de468946e5b5b2fc6336e97db8500a6c7d30ef825a515858f260b8509e3ea61d5c5a149990
-
Filesize
289KB
MD5d569c3635f5d76d21ce0b5319cdd627b
SHA19e3f6fb6edb2f7b68054df3226f6bfd0d7a2c9bb
SHA256341f18eaec783392bd3468fe26e874d53b5e00fbb9b551e69c9a5334ea8bb2c4
SHA512c5cc50fcb36fb3fa6f51ffa956d395b884ffd9e0cfee11b4da902b7bbf2da3e13059d2c7b5074daf7aba4a41bd1578bfff540dcc5ca39f063f7ede9674aad49b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9.4MB
MD56051f4511059448a1447460a1f2cc76f
SHA1f5dd5151c773d4040ca09c2dc088fccb806a608c
SHA256d1eb822518f773d1125b035c31528a6d0d33bf3628ed3a29875a18fbd7ccd7d3
SHA512a709f397906c57a69064d596e77fe30d3c74243d9cdfb8dffc77324cfdeb7b1206a7c9cdc8f37cc2282e639f0ad77e4248babdf53083ab86b8bcfb2adf47a401
-
Filesize
92KB
-
Filesize
124KB
-
Filesize
1.5MB
-
Filesize
176KB
-
Filesize
96KB
-
Filesize
100KB
-
Filesize
184KB
-
Filesize
52KB
-
Filesize
736KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
4.4MB
-
Filesize
1.1MB
-
Filesize
84KB
-
Filesize
80KB
-
Filesize
100KB
-
Filesize
136KB
-
Filesize
92KB
-
Filesize
100KB
-
Filesize
124KB
-
Filesize
1.5MB
-
Filesize
184KB
-
Filesize
68KB
-
Filesize
292KB
-
Filesize
120KB
-
Filesize
736KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
7.0MB
-
Filesize
80KB
-
Filesize
224KB
-
Filesize
144KB
-
Filesize
60KB
-
Filesize
1.1MB
-
Filesize
136KB
-
Filesize
224KB
-
Filesize
144KB
-
Filesize
4.4MB
-
Filesize
7.0MB
-
Filesize
292KB
-
Filesize
100KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
3.5MB
-
Filesize
736KB
-
Filesize
184KB
-
Filesize
1.5MB
-
Filesize
124KB
-
Filesize
144KB
-
Filesize
4.4MB
-
Filesize
60KB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
96KB
-
Filesize
1.1MB
-
Filesize
136KB
-
Filesize
124KB
-
Filesize
7.0MB
-
Filesize
96KB
-
Filesize
184KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
736KB
-
Filesize
80KB
-
Filesize
4.4MB
-
Filesize
84KB
-
Filesize
144KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
136KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
124KB
-
Filesize
92KB
-
Filesize
184KB
-
Filesize
80KB
-
Filesize
120KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
736KB
-
Filesize
68KB
-
Filesize
292KB
-
Filesize
7.0MB
-
Filesize
224KB
-
Filesize
736KB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
120KB
-
Filesize
3.5MB
-
Filesize
184KB
-
Filesize
100KB
-
Filesize
176KB
-
Filesize
96KB
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
60KB
-
Filesize
84KB
-
Filesize
80KB
-
Filesize
124KB
-
Filesize
224KB
-
Filesize
68KB
-
Filesize
292KB
-
Filesize
92KB
-
Filesize
136KB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
144KB
-
Filesize
4.4MB
-
Filesize
176KB
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
60KB
-
Filesize
144KB
-
Filesize
4.4MB